Loading ...

Play interactive tourEdit tour

Analysis Report v8AG4uXfZH.exe

Overview

General Information

Sample Name:v8AG4uXfZH.exe
MD5:dd19dd644e9beb76b9b2a095e83b6e3c
SHA1:ee7423ccc3a7c3dd4011e3a39fd775012f7afcab
SHA256:bbb0f2855d1444cae835700f58acb51b6a6fd2f48046e94850982753cb4a7268

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large strings
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • v8AG4uXfZH.exe (PID: 5944 cmdline: 'C:\Users\user\Desktop\v8AG4uXfZH.exe' MD5: DD19DD644E9BEB76B9B2A095E83B6E3C)
    • v8AG4uXfZH.exe (PID: 4320 cmdline: {path} MD5: DD19DD644E9BEB76B9B2A095E83B6E3C)
      • netsh.exe (PID: 4988 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "mJsw1yj8", "URL: ": "http://tan8iyk6LhGD.com", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "SUKjazJTeM", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1504542820.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1090610910.0000000003A10000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.1507083637.0000000003140000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: v8AG4uXfZH.exe PID: 5944JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.v8AG4uXfZH.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\v8AG4uXfZH.exe, ParentProcessId: 4320, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 4988

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: v8AG4uXfZH.exe.4320.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "mJsw1yj8", "URL: ": "http://tan8iyk6LhGD.com", "To: ": "", "ByHost: ": "smtp.yandex.com:587", "Password: ": "SUKjazJTeM", "From: ": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: v8AG4uXfZH.exeVirustotal: Detection: 70%Perma Link
              Source: v8AG4uXfZH.exeReversingLabs: Detection: 60%
              Machine Learning detection for sampleShow sources
              Source: v8AG4uXfZH.exeJoe Sandbox ML: detected
              Source: 2.2.v8AG4uXfZH.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.6:49942 -> 77.88.21.158:587
              Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
              Source: global trafficTCP traffic: 192.168.2.6:49942 -> 77.88.21.158:587
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_010CA09A recv,2_2_010CA09A
              Source: unknownDNS traffic detected: queries for: smtp.yandex.com
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
              Source: v8AG4uXfZH.exe, 00000002.00000002.1505669375.00000000012D7000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocsp-certum.c
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://tan8iyk6LhGD.com
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: v8AG4uXfZH.exe, 00000000.00000002.1092434962.0000000004FD6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
              Source: v8AG4uXfZH.exe, 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\v8AG4uXfZH.exeJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              .NET source code contains very large stringsShow sources
              Source: v8AG4uXfZH.exe, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.csLong String: Length: 13656
              Source: 0.2.v8AG4uXfZH.exe.3e0000.0.unpack, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.csLong String: Length: 13656
              Source: 0.0.v8AG4uXfZH.exe.3e0000.0.unpack, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.csLong String: Length: 13656
              Source: 2.2.v8AG4uXfZH.exe.ae0000.1.unpack, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.csLong String: Length: 13656
              Source: 2.0.v8AG4uXfZH.exe.ae0000.0.unpack, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.csLong String: Length: 13656
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_010CB362 NtQuerySystemInformation,2_2_010CB362
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_010CB331 NtQuerySystemInformation,2_2_010CB331
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 0_2_04BC1D280_2_04BC1D28
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 0_2_04BC2F600_2_04BC2F60
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 0_2_04BC22EB0_2_04BC22EB
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 0_2_04BC1DCA0_2_04BC1DCA
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 0_2_04BC1DC00_2_04BC1DC0
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 0_2_04BC30080_2_04BC3008
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E575C02_2_05E575C0
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5DD682_2_05E5DD68
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E555082_2_05E55508
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5A8F82_2_05E5A8F8
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E57C202_2_05E57C20
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E56FE82_2_05E56FE8
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5D7F02_2_05E5D7F0
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E55B802_2_05E55B80
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5834E2_2_05E5834E
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E562C82_2_05E562C8
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E506402_2_05E50640
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E56A382_2_05E56A38
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E52DB92_2_05E52DB9
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E55D002_2_05E55D00
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5C4E42_2_05E5C4E4
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E55C8F2_2_05E55C8F
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E506402_2_05E50640
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5C0292_2_05E5C029
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E547BF2_2_05E547BF
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51B8D2_2_05E51B8D
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E58AF82_2_05E58AF8
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E562B82_2_05E562B8
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5328F2_2_05E5328F
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E532382_2_05E53238
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51E162_2_05E51E16
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_0620D6882_2_0620D688
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_0620C7482_2_0620C748
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_0620E4482_2_0620E448
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_0620D1502_2_0620D150
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_0620B5F82_2_0620B5F8
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_062000702_2_06200070
              Source: v8AG4uXfZH.exeBinary or memory string: OriginalFilename vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000000.00000002.1089696578.0000000002A3E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSnakeLib.dll2 vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000000.00000000.1080070048.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezGejktNAvc.exeH vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000000.00000002.1094827414.0000000007D00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000000.00000002.1090610910.0000000003A10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAbYeBkQgzYsVBZUKWnpIeclSzakXdTAFXJCKMK.exe4 vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exeBinary or memory string: OriginalFilename vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000002.00000002.1509183799.00000000054C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000002.00000002.1510293307.0000000005F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000002.00000002.1504642811.000000000044C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameAbYeBkQgzYsVBZUKWnpIeclSzakXdTAFXJCKMK.exe4 vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000002.00000002.1510269451.0000000005F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000002.00000002.1505465800.0000000001230000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000002.00000002.1509271335.00000000055E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000002.00000000.1084502076.0000000000AE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezGejktNAvc.exeH vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exe, 00000002.00000002.1510122382.0000000005F00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs v8AG4uXfZH.exe
              Source: v8AG4uXfZH.exeBinary or memory string: OriginalFilenamezGejktNAvc.exeH vs v8AG4uXfZH.exe
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeSection loaded: security.dllJump to behavior
              Source: v8AG4uXfZH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: v8AG4uXfZH.exe, CustomCastleCrawler/Crypter.csCryptographic APIs: 'TransformFinalBlock'
              Source: v8AG4uXfZH.exe, CustomCastleCrawler/Crypter.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.2.v8AG4uXfZH.exe.3e0000.0.unpack, CustomCastleCrawler/Crypter.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.v8AG4uXfZH.exe.3e0000.0.unpack, CustomCastleCrawler/Crypter.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 0.0.v8AG4uXfZH.exe.3e0000.0.unpack, CustomCastleCrawler/Crypter.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.0.v8AG4uXfZH.exe.3e0000.0.unpack, CustomCastleCrawler/Crypter.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 2.2.v8AG4uXfZH.exe.ae0000.1.unpack, CustomCastleCrawler/Crypter.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.v8AG4uXfZH.exe.ae0000.1.unpack, CustomCastleCrawler/Crypter.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@1/1
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_010CB1E6 AdjustTokenPrivileges,2_2_010CB1E6
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_010CB1AF AdjustTokenPrivileges,2_2_010CB1AF
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\v8AG4uXfZH.exe.logJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeMutant created: \Sessions\1\BaseNamedObjects\QmOquaPnvsBanfeoIeLP
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_01
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: v8AG4uXfZH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: v8AG4uXfZH.exeVirustotal: Detection: 70%
              Source: v8AG4uXfZH.exeReversingLabs: Detection: 60%
              Source: unknownProcess created: C:\Users\user\Desktop\v8AG4uXfZH.exe 'C:\Users\user\Desktop\v8AG4uXfZH.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\v8AG4uXfZH.exe {path}
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess created: C:\Users\user\Desktop\v8AG4uXfZH.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: v8AG4uXfZH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: v8AG4uXfZH.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: v8AG4uXfZH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Users\Vendetta\Desktop\crypts\SnakeCsharp-master\Snake\obj\Debug\SnakeLib.pdb source: v8AG4uXfZH.exe, 00000000.00000002.1089696578.0000000002A3E000.00000004.00000001.sdmp
              Source: Binary string: mscorrc.pdb source: v8AG4uXfZH.exe, 00000000.00000002.1094827414.0000000007D00000.00000002.00000001.sdmp, v8AG4uXfZH.exe, 00000002.00000002.1510122382.0000000005F00000.00000002.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: v8AG4uXfZH.exe, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.cs.Net Code: AHUHD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.v8AG4uXfZH.exe.3e0000.0.unpack, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.cs.Net Code: AHUHD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.v8AG4uXfZH.exe.3e0000.0.unpack, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.cs.Net Code: AHUHD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.v8AG4uXfZH.exe.ae0000.1.unpack, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.cs.Net Code: AHUHD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.v8AG4uXfZH.exe.ae0000.0.unpack, CustomCastleCrawler/OIADHUPDIHGOUYFVDOTFOFFGDAIUHDBOIPDHJIAPO.cs.Net Code: AHUHD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Binary contains a suspicious time stampShow sources
              Source: initial sampleStatic PE information: 0xD7E4A0BC [Wed Oct 11 06:39:56 2084 UTC]
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_02CF267B pushad ; iretd 2_2_02CF267C
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E581D1 push 8BD08BFFh; iretd 2_2_05E581D7
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E511A8 push 8BD08BFFh; retf 2_2_05E511AD
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51573 push 8BD08BFFh; retf 2_2_05E5157C
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5812E push 8BD08BFFh; iretd 2_2_05E58137
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51930 push 8BD08BFFh; retf 2_2_05E51939
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E508E1 push 8BD08BFFh; retf 2_2_05E508E6
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E510DF push 8BD08BFFh; retf 2_2_05E510E4
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51874 push 8BD08BFFh; retf 2_2_05E51880
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E50828 push 8BD08BFFh; retf 2_2_05E5082D
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51016 push 8BD08BFFh; retf 2_2_05E5101B
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E513D3 push 8BD08BFFh; retf 2_2_05E513D8
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E517BE push 8BD08BFFh; retf 2_2_05E517C7
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5076B push 8BD08BFFh; retf 2_2_05E50774
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E50F5D push 8BD08BFFh; retf 2_2_05E50F62
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51316 push 8BD08BFFh; retf 2_2_05E5131F
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51AF5 push 8BD08BFFh; retf 2_2_05E51AFA
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E516F9 push 8BD08BFFh; retf 2_2_05E516FE
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E50E94 push 8BD08BFFh; retf 2_2_05E50E99
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51640 push 8BD08BFFh; retf 2_2_05E51645
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5125D push 8BD08BFFh; retf 2_2_05E51266
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E51A30 push 8BD08BFFh; retf 2_2_05E51A41
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5163C push ss; retf 2_2_05E5163F
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E50A1A push 8BD08BFFh; retf 2_2_05E50A23
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_06201CEB push es; iretd 2_2_06201CEC
              Source: initial sampleStatic PE information: section name: .text entropy: 7.60606136902

              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exe TID: 5768Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exe TID: 3104Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exe TID: 5828Thread sleep count: 107 > 30Jump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exe TID: 5828Thread sleep time: -53500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeLast function: Thread delayed
              Source: v8AG4uXfZH.exe, 00000002.00000002.1509271335.00000000055E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: v8AG4uXfZH.exe, 00000002.00000002.1509271335.00000000055E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: v8AG4uXfZH.exe, 00000002.00000002.1509271335.00000000055E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: v8AG4uXfZH.exe, 00000002.00000002.1505669375.00000000012D7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: v8AG4uXfZH.exe, 00000002.00000002.1509271335.00000000055E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeCode function: 2_2_05E5E429 LdrInitializeThunk,2_2_05E5E429
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeMemory written: C:\Users\user\Desktop\v8AG4uXfZH.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess created: C:\Users\user\Desktop\v8AG4uXfZH.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: v8AG4uXfZH.exe, 00000002.00000002.1505803487.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: v8AG4uXfZH.exe, 00000002.00000002.1505803487.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: v8AG4uXfZH.exe, 00000002.00000002.1505803487.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: v8AG4uXfZH.exe, 00000002.00000002.1505803487.00000000017C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000002.00000002.1504542820.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1090610910.0000000003A10000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1507083637.0000000003140000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: v8AG4uXfZH.exe PID: 5944, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: v8AG4uXfZH.exe PID: 4320, type: MEMORY
              Source: Yara matchFile source: 2.2.v8AG4uXfZH.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal WLAN passwordsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\v8AG4uXfZH.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: Process Memory Space: v8AG4uXfZH.exe PID: 4320, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000002.00000002.1504542820.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1090610910.0000000003A10000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1507083637.0000000003140000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1507496465.0000000003273000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: v8AG4uXfZH.exe PID: 5944, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: v8AG4uXfZH.exe PID: 4320, type: MEMORY
              Source: Yara matchFile source: 2.2.v8AG4uXfZH.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation111Winlogon Helper DLLAccess Token Manipulation1Software Packing13Credential Dumping2Security Software Discovery11Remote File Copy1Data from Local System2Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection112Disabling Security Tools11Input Capture11File and Directory Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Windows Remote ManagementInput Capture11Automated ExfiltrationStandard Cryptographic Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsClipboard Data1Data EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionTimestomp1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection112Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
              Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationDLL Side-Loading1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious