Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GQKWopXj7S.exe

Overview

General Information

Sample name:GQKWopXj7S.exe
renamed because original name is a hash value
Original sample name:18c73f64f2a8ec8f4132cd796a008976efbf478cb567ba3be7bdbdf5d1ecf5a8.exe
Analysis ID:1631848
MD5:5a78fa2ee20313ccd9faa77288393ccb
SHA1:c962c7f90bc86c7b0bfea56389a673dcb26c7e71
SHA256:18c73f64f2a8ec8f4132cd796a008976efbf478cb567ba3be7bdbdf5d1ecf5a8
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GQKWopXj7S.exe (PID: 6796 cmdline: "C:\Users\user\Desktop\GQKWopXj7S.exe" MD5: 5A78FA2EE20313CCD9FAA77288393CCB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.energytulcea.ro", "Username": "verstorfile@energytulcea.ro", "Password": "UW4)TWrE$dbY"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x34891:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x34903:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x3498d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x34a1f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x34a89:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x34afb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x34b91:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x34c21:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
      00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.GQKWopXj7S.exe.70c0000.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.GQKWopXj7S.exe.70c0000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.GQKWopXj7S.exe.70c0000.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x32a91:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x32b03:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x32b8d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x32c1f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x32c89:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x32cfb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x32d91:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x32e21:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              0.2.GQKWopXj7S.exe.70c0000.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.GQKWopXj7S.exe.70c0000.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 13 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: GQKWopXj7S.exeAvira: detected
                  Found malware configuration
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.energytulcea.ro", "Username": "verstorfile@energytulcea.ro", "Password": "UW4)TWrE$dbY"}
                  Multi AV Scanner detection for submitted file
                  Source: GQKWopXj7S.exeVirustotal: Detection: 69%Perma Link
                  Source: GQKWopXj7S.exeReversingLabs: Detection: 65%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: GQKWopXj7S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: GQKWopXj7S.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: BjGx.pdb source: GQKWopXj7S.exe
                  Source: Binary string: BjGx.pdbSHA256 source: GQKWopXj7S.exe
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: GQKWopXj7S.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: GQKWopXj7S.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: GQKWopXj7S.exeString found in binary or memory: http://ocsp.comodoca.com0
                  Source: GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B38000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: GQKWopXj7S.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                  Source: GQKWopXj7S.exe, 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: GQKWopXj7S.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, cPKWk.cs.Net Code: _00D8VK
                  Source: 0.2.GQKWopXj7S.exe.70c0000.3.raw.unpack, cPKWk.cs.Net Code: _00D8VK
                  Source: 0.2.GQKWopXj7S.exe.3a79970.0.raw.unpack, cPKWk.cs.Net Code: _00D8VK

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.GQKWopXj7S.exe.70c0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.GQKWopXj7S.exe.70c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.GQKWopXj7S.exe.3a79970.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.GQKWopXj7S.exe.3a79970.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_01083E400_2_01083E40
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_01086F980_2_01086F98
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_0108DE6C0_2_0108DE6C
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_028E24100_2_028E2410
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_06F397280_2_06F39728
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_06F392F00_2_06F392F0
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_06F38E850_2_06F38E85
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_06F3AE000_2_06F3AE00
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_06F3A9C80_2_06F3A9C8
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_0721CA200_2_0721CA20
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_07214EC80_2_07214EC8
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_072184380_2_07218438
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_0721BC780_2_0721BC78
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_072100400_2_07210040
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_07210C580_2_07210C58
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_072103880_2_07210388
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_0721DAD80_2_0721DAD8
                  Source: GQKWopXj7S.exe, 00000000.00000000.1259322114.000000000069E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBjGx.exeB vs GQKWopXj7S.exe
                  Source: GQKWopXj7S.exe, 00000000.00000002.2507494971.0000000007790000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs GQKWopXj7S.exe
                  Source: GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002A71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs GQKWopXj7S.exe
                  Source: GQKWopXj7S.exe, 00000000.00000002.2506229379.00000000054C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs GQKWopXj7S.exe
                  Source: GQKWopXj7S.exe, 00000000.00000002.2501540677.0000000000BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GQKWopXj7S.exe
                  Source: GQKWopXj7S.exe, 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2ef0ab37-7f3e-4594-af6b-a038ff0febc5.exe4 vs GQKWopXj7S.exe
                  Source: GQKWopXj7S.exe, 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename2ef0ab37-7f3e-4594-af6b-a038ff0febc5.exe4 vs GQKWopXj7S.exe
                  Source: GQKWopXj7S.exeBinary or memory string: OriginalFilenameBjGx.exeB vs GQKWopXj7S.exe
                  Source: GQKWopXj7S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.GQKWopXj7S.exe.70c0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.GQKWopXj7S.exe.70c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.GQKWopXj7S.exe.3a79970.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.GQKWopXj7S.exe.3a79970.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: GQKWopXj7S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, kCtW2ldAEV6qDsFo0b.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, kCtW2ldAEV6qDsFo0b.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, kCtW2ldAEV6qDsFo0b.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, CM9ccjlVnUeJlxeSTY.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, CM9ccjlVnUeJlxeSTY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMutant created: NULL
                  Source: GQKWopXj7S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: GQKWopXj7S.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B80000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: GQKWopXj7S.exeVirustotal: Detection: 69%
                  Source: GQKWopXj7S.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: GQKWopXj7S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: GQKWopXj7S.exeStatic file information: File size 83886080 > 1048576
                  Source: GQKWopXj7S.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: GQKWopXj7S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: BjGx.pdb source: GQKWopXj7S.exe
                  Source: Binary string: BjGx.pdbSHA256 source: GQKWopXj7S.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: GQKWopXj7S.exe, Form3.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.GQKWopXj7S.exe.54c0000.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, kCtW2ldAEV6qDsFo0b.cs.Net Code: KY1HbcXelp System.Reflection.Assembly.Load(byte[])
                  Source: GQKWopXj7S.exeStatic PE information: 0xD00D42C9 [Sat Aug 10 15:39:53 2080 UTC]
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_06F36E2A push eax; ret 0_2_06F36E31
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_06F3BF1D pushad ; ret 0_2_06F3BF20
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_06F379F8 push eax; retf 0_2_06F37A01
                  Source: GQKWopXj7S.exeStatic PE information: section name: .text entropy: 7.779851448300801
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, jVhtRnXZc1UunVsU6O.csHigh entropy of concatenated method names: 'Tawb3uMxw', 'myGJxoALm', 'zisRtcMfx', 'cTHTlDaE4', 'T3f2rcxCQ', 'lmGfry0nC', 'ojf8e5dali6hQPaufv', 'EiG7DpGH3PMChef1eA', 'GWulj7IoW', 'kAEsvUiNQ'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, xr2UG0aXHrZnHCQd39.csHigh entropy of concatenated method names: 'TOmwJhGNd4', 'ljxwR3GH9s', 'dRUwctFEnu', 'JKBw23G6KK', 'iYJwCyV9Np', 'QFJwuqF2V8', 'ofLwaa5fRH', 'G2dwltl0TV', 'kY6wDxlo5A', 'isvwsdYCGs'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, DNBDXQCTCt7l3TL1Pcu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eNG8DZNPE8', 'Yaa8sMUilG', 'MmB8qOC1j2', 'CKg88RcFxw', 'F9h8o0MJrO', 'Jtx8Os2s86', 'pC98vAVPOH'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, CM9ccjlVnUeJlxeSTY.csHigh entropy of concatenated method names: 'nWvK3O2K9H', 'waeKSDD5CO', 'GgNKBLF5a9', 'ndAKQGaQeX', 'uwZKGVqTyr', 'PEhKVxWAvr', 'bxAKkwXFEu', 'oaMK6mpYgX', 'toCKiFO52h', 'uLFKye2XQM'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, QvvipNFjX83HIkTDnX.csHigh entropy of concatenated method names: 'Dispose', 'CCKPiBCjHq', 'TbJ1Fv5mVl', 'll88Gv5saj', 'mINPyOavbg', 'qP1PzZ6QmM', 'ProcessDialogKey', 'sxJ1InSf5c', 'VcJ1PpUMbM', 'SCr11NKV8h'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, buPOruJjiSCmG1rVQI.csHigh entropy of concatenated method names: 'wZ7DLPiMQ7', 'OqnDFXpIpd', 'E3eDnDeXcI', 'ppGDh8njM5', 'f8iDE2ipvh', 'SvnDZCe8yQ', 'qusD5IKFGx', 'HZoDWG67ox', 'ovWD9aA42F', 'Vb2D0AaMwO'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, c84fuD5Cjcbf1VkubO.csHigh entropy of concatenated method names: 'A0yYcFJwdC', 'v7dY2A69u0', 'wP3YLOfRup', 'XjhYF4M3of', 'uBQYhnwFYQ', 'GbZYE4hyCl', 'atSY5gXNWM', 'QitYWMxJSP', 'k1tY0r5CDJ', 'd06Yd5numw'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, vXmbZCPkoncVrFegGk.csHigh entropy of concatenated method names: 'CbWaxf0blR', 'rYta41yS9q', 'ToString', 'lxqag3OZeE', 'OwWaK6Rw2c', 'bxmawaLLMt', 'Y67aUW6pjS', 'xqsajKWXr5', 'mN7apyou9G', 'KiIaMwACEt'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, bH5pYsIOqZcXxeVGdB.csHigh entropy of concatenated method names: 'bxRDCWn7Z5', 'LnTDaODs7P', 'nh1DDegL74', 'HNUDqiDeqT', 'rutDohncND', 'ACuDv1qbCW', 'Dispose', 'kfIlg4yimc', 'KrLlKfGOXh', 'T3dlwZv0XU'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, do3YSAQ7PoXbjqCnnH.csHigh entropy of concatenated method names: 'oErswU7KVR', 'ufPsUekdGA', 'YsCsjXV2n0', 'MM5spdoDxq', 'IH1sDopQa7', 'QCbsMnNk2s', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, GdBN7pGpb0BbAyscbp.csHigh entropy of concatenated method names: 'YZxj7Yioem', 'pEtjKOp7OW', 'C3OjUHGCMV', 'kF2jpFiQuw', 'Pv4jMF31kc', 'TrcUGXfru7', 'awGUVQsHEn', 'bu9Uk0q5ZJ', 'VpGU67QOC6', 'GJZUidjj02'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, KK8N2oCEXc3svYNqJKO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WHmsdwib7b', 'jijsmqlZFn', 'uGdsA5iTI1', 'IxIs3Vb3bL', 'q8XsS9tVk3', 'RA2sBk7IfN', 'j0ksQAbRHt'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, Dp2VqsTXFLEGOOm7Qd.csHigh entropy of concatenated method names: 'I1RPpWfS7c', 'CfpPMVdOYp', 'KshPxyTxFI', 'ciXP4QulQp', 'VUAPCI6dcP', 'Hq3PubtmYJ', 'HDwClQYpNBMH6wyDoj', 'JrjEDH2gN9pLqDUbcr', 'tk4PPmmweQ', 'Y3XPtcPKTT'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, PhFI0gCC3m3fXFN8MC4.csHigh entropy of concatenated method names: 'kLqsyjPQ6i', 'X6VszvuRvf', 'iTtqIS672F', 'WKPqPu6gDd', 'VtTq1LuuGc', 'IJ5qtvLxqc', 'rAKqHABnDB', 'bigq77PolP', 'v9Cqgd5I5X', 'kBEqKdvfnq'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, QlQQ8b01PPiXSYiFjq.csHigh entropy of concatenated method names: 'WhQUrxWbci', 'RpGUTdKZQK', 'y8LwnRANFP', 'R6Awh1NQgH', 'bUEwE67dX3', 'QUHwZpCoIb', 'tqvw5nUCJj', 'JqNwWduQdX', 'w3sw9wWdN8', 'T00w0iqXjM'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, NsJPZr8Xuy1IqP8Cf7.csHigh entropy of concatenated method names: 'MXKpXEptSO', 'oPApNx4BZb', 'taZpbYIduW', 'WkLpJnvhaA', 'pbAprvTnAb', 'UdmpRdXuq2', 'S8ppT5HCu9', 'woQpckD0EJ', 'BNNp2E7KSu', 'qbvpffLlpO'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, KOTL5u4JSHhbqVvEW9.csHigh entropy of concatenated method names: 'bPIC0kRiTN', 'u6oCmGvslF', 'OPEC3bmDeo', 'Hv6CS4NnQu', 'qwoCFSJMS7', 'AhwCnjFRUb', 'ONBChvWusy', 'kq1CEgZpMS', 'XhFCZOlOua', 'PXGC5K4Ks0'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, QrfBbZsy2OrC30SjKX.csHigh entropy of concatenated method names: 'pkJpgcareK', 'yXEpwqlUQv', 't97pjZ5uiH', 'Vq2jyOq1DO', 'DCFjzQxXnL', 'kZSpI2yDJQ', 'bWnpPc93ol', 'PTEp1vlZZI', 'dAhptGuluZ', 'Ao8pHiJ0nv'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, H6vxdFLBKv1XUpsw7b.csHigh entropy of concatenated method names: 'SpVa6jo6D2', 'vF2ayA5cVg', 'p8olIISri2', 'tVylPSSuEu', 'jhnadsbJwK', 'mcJamtktOs', 'qfLaA9ukye', 'ReAa3x4Ulj', 'tyhaSlFn10', 'fx8aBKAk0y'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, kCtW2ldAEV6qDsFo0b.csHigh entropy of concatenated method names: 'UOkt71gy1U', 't3stgbk8kw', 'PP8tKoJUf8', 'pAktw3XB4C', 'ejgtUYJpHP', 'gv8tjWvGQB', 'dtItp6e1FG', 'uLPtMi301J', 'jPdteWtVPM', 'yiytxMRxCU'
                  Source: 0.2.GQKWopXj7S.exe.7790000.4.raw.unpack, x7Yn0YzQYtMKr66ENK.csHigh entropy of concatenated method names: 'K11sRGfPbx', 'fNsscOByPc', 'xW8s2FrThc', 'NcksLT82OR', 'zVFsF0bsU6', 'YsPsheiZU1', 'DwMsEC3bFd', 'SXfsvtYYJm', 'fHWsXpPybr', 'uhdsNUWAMH'
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: GQKWopXj7S.exe PID: 6796, type: MEMORYSTR
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMemory allocated: 1010000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMemory allocated: 8E60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMemory allocated: 7820000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMemory allocated: 9E60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMemory allocated: AE60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: GQKWopXj7S.exe, 00000000.00000002.2506899818.0000000006EC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
                  Source: GQKWopXj7S.exe, 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: vmware
                  Source: GQKWopXj7S.exe, 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VMwareVBox
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeCode function: 0_2_072119C0 CheckRemoteDebuggerPresent,0_2_072119C0
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeQueries volume information: C:\Users\user\Desktop\GQKWopXj7S.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.70c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.70c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3ab5990.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3a79970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3a79970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: GQKWopXj7S.exe PID: 6796, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\GQKWopXj7S.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.70c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.70c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3ab5990.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3a79970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3a79970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2503533587.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: GQKWopXj7S.exe PID: 6796, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.70c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.70c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3ab5990.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3ab5990.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3a79970.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.GQKWopXj7S.exe.3a79970.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: GQKWopXj7S.exe PID: 6796, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		24
                  Virtualization/Sandbox Evasion                  		1
                  OS Credential Dumping                  		531
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		1
                  Input Capture                  		24
                  Virtualization/Sandbox Evasion                  		Remote Desktop Protocol1
                  Input Capture                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Deobfuscate/Decode Files or Information                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                  Obfuscated Files or Information                  		NTDS1
                  System Network Configuration Discovery                  		Distributed Component Object Model1
                  Data from Local System                  		2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                  Software Packing                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Timestomp                  		Cached Domain Credentials34
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  GQKWopXj7S.exe69%VirustotalBrowse
                  GQKWopXj7S.exe66%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                  GQKWopXj7S.exe100%AviraTR/Kryptik.bwvjc

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ip-api.com/line/?fields=hostingfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/GQKWopXj7S.exe, 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B38000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0GQKWopXj7S.exefalse
                            		high
                            http://tempuri.org/DataSet1.xsdGQKWopXj7S.exefalse
                              		high
                              http://ip-api.comGQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B38000.00000004.00000800.00020000.00000000.sdmp, GQKWopXj7S.exe, 00000000.00000002.2503533587.0000000002B4F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1631848
                                Start date and time:2025-03-07 16:38:19 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 55s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:GQKWopXj7S.exe
                                renamed because original name is a hash value
                                Original Sample Name:18c73f64f2a8ec8f4132cd796a008976efbf478cb567ba3be7bdbdf5d1ecf5a8.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 124
                                • Number of non-executed functions: 9
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 23.60.203.209
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:39:18API Interceptor2x Sleep call for process: GQKWopXj7S.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.11W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                oCPGyn28rc.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40.exeGet hashmaliciousPython Stealer, Blank Grabber, NjratBrowse
                                • ip-api.com/json/?fields=225545
                                file.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                buttocks.vbsGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                Request for Best Offer- HS CODE REF PO#2010050.exeGet hashmaliciousGuLoaderBrowse
                                • ip-api.com/line/?fields=hosting
                                FA76543456780000987601.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                D9876543456780000.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                • ip-api.com/line/?fields=hosting
                                sales contract.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ip-api.com1W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                oCPGyn28rc.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40.exeGet hashmaliciousPython Stealer, Blank Grabber, NjratBrowse
                                • 208.95.112.1
                                file.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                buttocks.vbsGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Request for Best Offer- HS CODE REF PO#2010050.exeGet hashmaliciousGuLoaderBrowse
                                • 208.95.112.1
                                FA76543456780000987601.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                D9876543456780000.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                • 208.95.112.1
                                sales contract.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                TUT-ASUS1W2TnU01xb.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                2PJ65Chy6v.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                oCPGyn28rc.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40.exeGet hashmaliciousPython Stealer, Blank Grabber, NjratBrowse
                                • 208.95.112.1
                                file.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                buttocks.vbsGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Request for Best Offer- HS CODE REF PO#2010050.exeGet hashmaliciousGuLoaderBrowse
                                • 208.95.112.1
                                FA76543456780000987601.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                D9876543456780000.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                • 208.95.112.1
                                sales contract.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):0.1320387741633252
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:GQKWopXj7S.exe
                                File size:83'886'080 bytes
                                MD5:5a78fa2ee20313ccd9faa77288393ccb
                                SHA1:c962c7f90bc86c7b0bfea56389a673dcb26c7e71
                                SHA256:18c73f64f2a8ec8f4132cd796a008976efbf478cb567ba3be7bdbdf5d1ecf5a8
                                SHA512:956e25c8a67938c4f2bfd42cf4d1ecbaa91cdcd209cc31e261540b9b4a30030ad2e243ac0718077f562a35e0d33de805641d3c3df8f8b7d352f964b8a8d754d1
                                SSDEEP:12288:hrgGTI0nYm2fBxpnlner9q4COl+zI1RE6uurtXdl4Hshh+VJuqZk:hPFYVfVa9qdOQu5dlIV
                                TLSH:7E080168AB09E507CE9597700A71E2B81BBD5EEEA400D3175FDC6DFBF9A6B040D04287
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B................0.................. ........@.. ....................... ............@................................

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0x4accbe
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0xD00D42C9 [Sat Aug 10 15:39:53 2080 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Authenticode Signature

                                Signature Valid:
                                Signature Issuer:
                                Signature Validation Error:
                                Error Number:
                                Not Before, Not After
                                  Subject Chain
                                    Version:
                                    Thumbprint MD5:
                                    Thumbprint SHA-1:
                                    Thumbprint SHA-256:
                                    Serial:

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xacc690x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x630.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xaba000x3608
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xab3c40x70.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xaacc40xaae00d6ab7e428d89cdf17b52cc03c8e477d0False0.9218492821872714data7.779851448300801IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xae0000x6300x800c1e770839dddbaaadc5bcb68ac31bc0fFalse0.33935546875data3.475087629809481IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xb00000xc0x200cb713bb6b9012c99917df3bde3d9ac50False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xae0900x3a0data0.4191810344827586
                                    RT_MANIFEST0xae4400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    Comments
                                    CompanyNameMicrosoft Corporation
                                    FileDescriptionLanguage Profile
                                    FileVersion1.0.0.0
                                    InternalNameBjGx.exe
                                    LegalCopyrightCopyright Microsoft Corporation. All rights reserved.
                                    LegalTrademarks
                                    OriginalFilenameBjGx.exe
                                    ProductNameLanguage Profile
                                    ProductVersion1.0.0.0
                                    Assembly Version1.0.0.0

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Mar 7, 2025 16:39:21.337296009 CET4968780192.168.2.6208.95.112.1
                                    Mar 7, 2025 16:39:21.342318058 CET8049687208.95.112.1192.168.2.6
                                    Mar 7, 2025 16:39:21.342391014 CET4968780192.168.2.6208.95.112.1
                                    Mar 7, 2025 16:39:21.342994928 CET4968780192.168.2.6208.95.112.1
                                    Mar 7, 2025 16:39:21.347951889 CET8049687208.95.112.1192.168.2.6
                                    Mar 7, 2025 16:39:21.842499971 CET8049687208.95.112.1192.168.2.6
                                    Mar 7, 2025 16:39:21.884651899 CET4968780192.168.2.6208.95.112.1
                                    Mar 7, 2025 16:40:42.422295094 CET8049687208.95.112.1192.168.2.6
                                    Mar 7, 2025 16:40:42.422492027 CET4968780192.168.2.6208.95.112.1
                                    Mar 7, 2025 16:41:02.571084023 CET4968780192.168.2.6208.95.112.1
                                    Mar 7, 2025 16:41:02.576220036 CET8049687208.95.112.1192.168.2.6

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Mar 7, 2025 16:39:21.324315071 CET6102853192.168.2.61.1.1.1
                                    Mar 7, 2025 16:39:21.331808090 CET53610281.1.1.1192.168.2.6

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Mar 7, 2025 16:39:21.324315071 CET192.168.2.61.1.1.10x7887Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Mar 7, 2025 16:39:21.331808090 CET1.1.1.1192.168.2.60x7887No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • ip-api.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.649687208.95.112.1806796C:\Users\user\Desktop\GQKWopXj7S.exe
                                    TimestampBytes transferredDirectionData
                                    Mar 7, 2025 16:39:21.342994928 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Mar 7, 2025 16:39:21.842499971 CET175INHTTP/1.1 200 OK
                                    Date: Fri, 07 Mar 2025 15:39:20 GMT
                                    Content-Type: text/plain; charset=utf-8
                                    Content-Length: 6
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 60
                                    X-Rl: 44
                                    Data Raw: 66 61 6c 73 65 0a
                                    Data Ascii: false


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:10:39:17
                                    Start date:07/03/2025
                                    Path:C:\Users\user\Desktop\GQKWopXj7S.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\GQKWopXj7S.exe"
                                    Imagebase:0x5f0000
                                    File size:83'886'080 bytes
                                    MD5 hash:5A78FA2EE20313CCD9FAA77288393CCB
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2507162380.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2505028154.0000000003A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2503533587.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >