Loading ...

Play interactive tourEdit tour

Analysis Report M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe

Overview

General Information

Sample Name:M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
MD5:929bb4bfd755dea991175e2383b4e26c
SHA1:3073e13b02046341a0648bde58f174624c80c930
SHA256:67a7404a31223af4f376b78228762c3de9b8f46226e61e939e24e0d6d16a67b4

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe (PID: 4320 cmdline: 'C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe' MD5: 929BB4BFD755DEA991175E2383B4E26C)
    • AppLaunch.exe (PID: 5124 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
      • netsh.exe (PID: 3628 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1203491322.0000000005F99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000003.1201519418.0000000005F66000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1218356550.0000000005F99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000003.1201274920.0000000006015000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000003.1201833426.0000000005F6F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.AppLaunch.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, ParentProcessId: 5124, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 3628

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeVirustotal: Detection: 30%Perma Link
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeReversingLabs: Detection: 18%
              Machine Learning detection for sampleShow sources
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeJoe Sandbox ML: detected
              Source: 2.2.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.6:49946 -> 162.221.185.10:21
              Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.6:49947 -> 162.221.185.10:35804
              Source: global trafficTCP traffic: 192.168.2.6:49947 -> 162.221.185.10:35804
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: unknownFTP traffic detected: 162.221.185.10:21 -> 192.168.2.6:49946 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:40. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:40. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:40. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:40. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: AppLaunch.exe, 00000002.00000002.1533587732.0000000006F71000.00000004.00000001.sdmpString found in binary or memory: :["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/
              Source: unknownDNS traffic detected: queries for: ftp.pan-door.gr
              Source: AppLaunch.exe, 00000002.00000002.1533949778.0000000007073000.00000004.00000001.sdmpString found in binary or memory: http://PnDqLF2sL5.org
              Source: AppLaunch.exe, 00000002.00000002.1533587732.0000000006F71000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
              Source: AppLaunch.exe, 00000002.00000002.1533587732.0000000006F71000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: AppLaunch.exe, 00000002.00000002.1533949778.0000000007073000.00000004.00000001.sdmpString found in binary or memory: http://ftp.pan-door.gr
              Source: AppLaunch.exe, 00000002.00000002.1533949778.0000000007073000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: AppLaunch.exe, 00000002.00000002.1533587732.0000000006F71000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
              Source: AppLaunch.exe, 00000002.00000002.1533587732.0000000006F71000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: AppLaunch.exe, 00000002.00000002.1533587732.0000000006F71000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: AppLaunch.exe, 00000002.00000002.1533587732.0000000006F71000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
              Source: AppLaunch.exe, 00000002.00000002.1533587732.0000000006F71000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1205780724.0000000001210000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, mEu0025.csLarge array initialization: Gm6: array initializer size 25500
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, u0033Tt.csLarge array initialization: J?c: array initializer size 19780
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, Wu0024a.csLarge array initialization: a%9: array initializer size 14112
              Source: 0.0.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.a40000.0.unpack, mEu0025.csLarge array initialization: Gm6: array initializer size 25500
              Source: 0.0.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.a40000.0.unpack, u0033Tt.csLarge array initialization: J?c: array initializer size 19780
              Source: 0.0.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.a40000.0.unpack, Wu0024a.csLarge array initialization: a%9: array initializer size 14112
              Source: 0.2.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.a40000.0.unpack, mEu0025.csLarge array initialization: Gm6: array initializer size 25500
              Source: 0.2.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.a40000.0.unpack, u0033Tt.csLarge array initialization: J?c: array initializer size 19780
              Source: 0.2.M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.a40000.0.unpack, Wu0024a.csLarge array initialization: a%9: array initializer size 14112
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_00A4848B0_2_00A4848B
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_00A42B100_2_00A42B10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095788F02_2_095788F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0957FCA02_2_0957FCA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095711A82_2_095711A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095732BC2_2_095732BC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095715782_2_09571578
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095744C02_2_095744C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095797782_2_09579778
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095788E12_2_095788E1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09578D582_2_09578D58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09578CE42_2_09578CE4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095751B02_2_095751B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095711A32_2_095711A3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095790312_2_09579031
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0957156B2_2_0957156B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095744BF2_2_095744BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095744BB2_2_095744BB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_095797772_2_09579777
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C2B082_2_0A4C2B08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C09B02_2_0A4C09B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C6E002_2_0A4C6E00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C9C802_2_0A4C9C80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C7A002_2_0A4C7A00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C00402_2_0A4C0040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C30402_2_0A4C3040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C30502_2_0A4C3050
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C81522_2_0A4C8152
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C51282_2_0A4C5128
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C79F12_2_0A4C79F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C09A02_2_0A4C09A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C56A02_2_0A4C56A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C56B02_2_0A4C56B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C57442_2_0A4C5744
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C9C712_2_0A4C9C71
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C4C382_2_0A4C4C38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C6DF02_2_0A4C6DF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5452302_2_0A545230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5458402_2_0A545840
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5499D02_2_0A5499D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54B6882_2_0A54B688
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54E7902_2_0A54E790
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54C5B02_2_0A54C5B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5452202_2_0A545220
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54E2882_2_0A54E288
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54C9112_2_0A54C911
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5489D02_2_0A5489D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5499C02_2_0A5499C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54B6792_2_0A54B679
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54E7842_2_0A54E784
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54CC992_2_0A54CC99
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5455B92_2_0A5455B9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A54C5A12_2_0A54C5A1
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeBinary or memory string: OriginalFilename vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000003.1201519418.0000000005F66000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameoWRSKhScdSrrqLJGxRQGU.exe4 vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1210366566.0000000002F70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameoWRSKhScdSrrqLJGxRQLJGxRQGU.exe( vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1210366566.0000000002F70000.00000004.00000001.sdmpBinary or memory string: lHOriginalFilenameoWRSKhScdSrrqLJGxRQ vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1204029731.0000000000A42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemaincrypt_open.exeD vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1210124495.0000000002F16000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary2.dll, vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1206852030.0000000001460000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametgrdcgd.dll2 vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1207487339.0000000002E00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenametfghfdgtr.dllT vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1207487339.0000000002E00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefvsfesdf.dll2 vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1205780724.0000000001210000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeBinary or memory string: OriginalFilenameoWRSKhScdSrrqLJGxRQLJGxRQGU.exe( vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeBinary or memory string: OriginalFilenamemaincrypt_open.exeD vs M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@1/1
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeVirustotal: Detection: 30%
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe 'C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1206852030.0000000001460000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe, 00000000.00000002.1206852030.0000000001460000.00000004.00000001.sdmp

              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_00A4830D push es; ret 0_2_00A4848A
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeCode function: 0_2_00A42B10 push es; ret 0_2_00A42F1A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09571813 pushad ; retf 2_2_09571819
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09573DF3 push ds; iretd 2_2_09573DF6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_09573213 push ds; iretd 2_2_09573222
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0957C2D0 push es; ret 2_2_0957C2E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4CC4B5 pushfd ; retf 2_2_0A4CC4B6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A5473DF push es; ret 2_2_0A5473E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A543026 push ss; retf 2_2_0A543027
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A544E3B push eax; iretd 2_2_0A544E3C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A547427 push es; ret 2_2_0A5473E0

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeFile opened: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 571Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe TID: 68Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe TID: 5152Thread sleep count: 164 > 30Jump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe TID: 3524Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3032Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3144Thread sleep count: 571 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3032Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3032Thread sleep time: -47094s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3032Thread sleep time: -45500s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3032Thread sleep time: -38000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3032Thread sleep time: -36156s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3032Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeLast function: Thread delayed
              Source: AppLaunch.exe, 00000002.00000002.1536988466.000000000A340000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 2_2_0A4C2B08 LdrInitializeThunk,2_2_0A4C2B08
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeMemory allocated: page read and write | page guardJump to behavior

              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: AppLaunch.exe, 00000002.00000002.1532626356.0000000005820000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: AppLaunch.exe, 00000002.00000002.1532626356.0000000005820000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: AppLaunch.exe, 00000002.00000002.1532626356.0000000005820000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: AppLaunch.exe, 00000002.00000002.1532626356.0000000005820000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeQueries volume information: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000003.1203491322.0000000005F99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1201519418.0000000005F66000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1218356550.0000000005F99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1201274920.0000000006015000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1201833426.0000000005F6F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1214640081.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1215191147.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1529620218.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1533219034.0000000006E70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1203000191.0000000006019000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1203575564.0000000005F99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1203395130.0000000005F92000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1207487339.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe PID: 4320, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5124, type: MEMORY
              Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal WLAN passwordsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5124, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000003.1203491322.0000000005F99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1201519418.0000000005F66000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1218356550.0000000005F99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1201274920.0000000006015000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1201833426.0000000005F6F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1214640081.0000000003E54000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1215191147.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1529620218.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1533219034.0000000006E70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1203000191.0000000006019000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1203575564.0000000005F99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1203395130.0000000005F92000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1207487339.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: M626007403INTRUCTIONS_YMLU48531150_MV_UM_WITNESS_08E_147.exe PID: 4320, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5124, type: MEMORY
              Source: Yara matchFile source: 2.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Hidden Files and Directories1Process Injection12Software Packing1Credential Dumping2Security Software Discovery111Application Deployment SoftwareData from Local System2Exfiltration Over Alternative Protocol1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools11Input Capture1File and Directory Discovery1Remote ServicesEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Credentials in Registry1System Information Discovery114Windows Remote ManagementInput Capture1Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesVirtualization/Sandbox Evasion13Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessHidden Files and Directories1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion13Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection12Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi