Loading ...

Play interactive tourEdit tour

Analysis Report t.exe

Overview

General Information

Sample Name:t.exe
MD5:9ae795a6a67c958c15d120c26efced30
SHA1:bf3769d4d27f99e2214896a04cbcd46c2e0cd5f7
SHA256:f86c9804962e1889e0002741388ef1e4b7a140f12d634d4b2ebc0af9162bc097

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • t.exe (PID: 2700 cmdline: 'C:\Users\user\Desktop\t.exe' MD5: 9AE795A6A67C958C15D120C26EFCED30)
    • t.exe (PID: 2384 cmdline: C:\Users\user\Desktop\t.exe MD5: 9AE795A6A67C958C15D120C26EFCED30)
    • t.exe (PID: 316 cmdline: C:\Users\user\Desktop\t.exe MD5: 9AE795A6A67C958C15D120C26EFCED30)
      • netsh.exe (PID: 4596 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "hi0Cl3yOyGau", "URL: ": "http://SxdSYenGVOVEhUr.org", "To: ": "info@sahnemobilya.com", "ByHost: ": "mail.sahnemobilya.com:5878", "Password: ": "5ypoxNucnGxyqTf", "From: ": "info@sahnemobilya.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.557190814.0000000004488000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.555974166.0000000004210000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.946745136.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.948833983.0000000002C10000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.948833983.0000000002C10000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.t.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Capture Wi-Fi passwordShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: C:\Users\user\Desktop\t.exe, ParentImage: C:\Users\user\Desktop\t.exe, ParentProcessId: 316, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 4596

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: t.exe.316.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "hi0Cl3yOyGau", "URL: ": "http://SxdSYenGVOVEhUr.org", "To: ": "info@sahnemobilya.com", "ByHost: ": "mail.sahnemobilya.com:5878", "Password: ": "5ypoxNucnGxyqTf", "From: ": "info@sahnemobilya.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: t.exeVirustotal: Detection: 28%Perma Link
              Source: t.exeReversingLabs: Detection: 58%
              Machine Learning detection for sampleShow sources
              Source: t.exeJoe Sandbox ML: detected
              Source: 3.2.t.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49708 -> 31.207.81.11:587
              Source: global trafficTCP traffic: 192.168.2.7:49708 -> 31.207.81.11:587
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: global trafficTCP traffic: 192.168.2.7:49708 -> 31.207.81.11:587
              Source: unknownDNS traffic detected: queries for: mail.sahnemobilya.com
              Source: t.exe, 00000003.00000002.949208599.0000000002D1A000.00000004.00000001.sdmpString found in binary or memory: http://SxdSYenGVOVEhUr.org
              Source: t.exe, 00000003.00000002.949208599.0000000002D1A000.00000004.00000001.sdmpString found in binary or memory: http://SxdSYenGVOVEhUr.orgLU9
              Source: t.exe, 00000003.00000002.949208599.0000000002D1A000.00000004.00000001.sdmpString found in binary or memory: http://mail.sahnemobilya.com
              Source: t.exe, 00000003.00000002.949208599.0000000002D1A000.00000004.00000001.sdmpString found in binary or memory: http://sahnemobilya.com

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_0307EDA40_2_0307EDA4
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_0307C40C0_2_0307C40C
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_0307FB700_2_0307FB70
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_0307DD080_2_0307DD08
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_0307DCF80_2_0307DCF8
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B4D300_2_067B4D30
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B18800_2_067B1880
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B21500_2_067B2150
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B29C90_2_067B29C9
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B5C310_2_067B5C31
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B15380_2_067B1538
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B4D200_2_067B4D20
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B59E80_2_067B59E8
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067B59D80_2_067B59D8
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011359D83_2_011359D8
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011311C83_2_011311C8
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011308F83_2_011308F8
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011385583_2_01138558
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011305B03_2_011305B0
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01137F223_2_01137F22
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01132E383_2_01132E38
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0113493C3_2_0113493C
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0113516D3_2_0113516D
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0113499A3_2_0113499A
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011349E23_2_011349E2
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0113481C3_2_0113481C
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011348643_2_01134864
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011348AC3_2_011348AC
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011348F43_2_011348F4
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01132E383_2_01132E38
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134B023_2_01134B02
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134B4A3_2_01134B4A
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134B923_2_01134B92
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134BDA3_2_01134BDA
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134A2A3_2_01134A2A
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134A723_2_01134A72
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01135A703_2_01135A70
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011342943_2_01134294
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134ABA3_2_01134ABA
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134D423_2_01134D42
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134C223_2_01134C22
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134C6A3_2_01134C6A
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134CB23_2_01134CB2
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134CFA3_2_01134CFA
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011347473_2_01134747
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0113EF913_2_0113EF91
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011347D43_2_011347D4
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0113EEB03_2_0113EEB0
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011346A13_2_011346A1
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_011346FF3_2_011346FF
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C15983_2_053C1598
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C44C03_2_053C44C0
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C11A83_2_053C11A8
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C51883_2_053C5188
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C9CD03_2_053C9CD0
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C8B283_2_053C8B28
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C55B03_2_053C55B0
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C15883_2_053C1588
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C44B23_2_053C44B2
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C11993_2_053C1199
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C92E63_2_053C92E6
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C9CC13_2_053C9CC1
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C8F313_2_053C8F31
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C8FA93_2_053C8FA9
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053C8B193_2_053C8B19
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_053CDA523_2_053CDA52
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610A2283_2_0610A228
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061032783_2_06103278
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061022683_2_06102268
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061063183_2_06106318
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06101B703_2_06101B70
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061040283_2_06104028
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061020403_2_06102040
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610DC403_2_0610DC40
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610C4783_2_0610C478
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610E5883_2_0610E588
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061032673_2_06103267
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061032F73_2_061032F7
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06101B603_2_06101B60
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06103BDA3_2_06103BDA
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06108BDB3_2_06108BDB
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061040183_2_06104018
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610DC323_2_0610DC32
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06108C233_2_06108C23
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06105C583_2_06105C58
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610D07A3_2_0610D07A
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06101C6A3_2_06101C6A
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610D0883_2_0610D088
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610850B3_2_0610850B
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610E57A3_2_0610E57A
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061069923_2_06106992
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061069A03_2_061069A0
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610A1AF3_2_0610A1AF
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06107DE83_2_06107DE8
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061943583_2_06194358
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061921383_2_06192138
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061936F03_2_061936F0
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06193AA83_2_06193AA8
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061926973_2_06192697
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061904983_2_06190498
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061924E93_2_061924E9
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061922A53_2_061922A5
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_061921283_2_06192128
              Source: t.exeBinary or memory string: OriginalFilename vs t.exe
              Source: t.exe, 00000000.00000002.555926455.000000000346E000.00000004.00000001.sdmpBinary or memory string: OriginalFilename26.dll4 vs t.exe
              Source: t.exe, 00000000.00000002.555926455.000000000346E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaJPuGhmrKKVZTYAkeQnaoJZoIoRYTugPvfl.exe4 vs t.exe
              Source: t.exe, 00000000.00000002.555974166.0000000004210000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMYDLLSTUBSHARED.dll4 vs t.exe
              Source: t.exe, 00000000.00000002.552938099.0000000000E32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs t.exe
              Source: t.exe, 00000000.00000002.553084445.0000000000E90000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehPUgHLW.exe0 vs t.exe
              Source: t.exe, 00000000.00000002.554794400.0000000003210000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUnhook.dll4 vs t.exe
              Source: t.exeBinary or memory string: OriginalFilename vs t.exe
              Source: t.exe, 00000002.00000002.551992921.0000000000230000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehPUgHLW.exe0 vs t.exe
              Source: t.exe, 00000002.00000002.551852011.00000000001D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs t.exe
              Source: t.exeBinary or memory string: OriginalFilename vs t.exe
              Source: t.exe, 00000003.00000002.947229342.0000000000CF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs t.exe
              Source: t.exe, 00000003.00000000.552461646.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs t.exe
              Source: t.exe, 00000003.00000002.947079463.00000000008D0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamehPUgHLW.exe0 vs t.exe
              Source: t.exe, 00000003.00000002.952489811.0000000006180000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs t.exe
              Source: t.exe, 00000003.00000002.951008562.0000000005140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs t.exe
              Source: t.exe, 00000003.00000002.946869812.000000000044E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameaJPuGhmrKKVZTYAkeQnaoJZoIoRYTugPvfl.exe4 vs t.exe
              Source: t.exe, 00000003.00000002.952328681.0000000006110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs t.exe
              Source: t.exe, 00000003.00000002.952267162.00000000060F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs t.exe
              Source: t.exeBinary or memory string: OriginalFilenameZImBOZX.dll< vs t.exe
              Source: t.exeBinary or memory string: OriginalFilenamehPUgHLW.exe0 vs t.exe
              Source: t.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/0@3/1
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_01
              Source: t.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\t.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\t.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\t.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\t.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\t.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\t.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\t.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\t.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\t.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: t.exeVirustotal: Detection: 28%
              Source: t.exeReversingLabs: Detection: 58%
              Source: unknownProcess created: C:\Users\user\Desktop\t.exe 'C:\Users\user\Desktop\t.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\t.exe C:\Users\user\Desktop\t.exe
              Source: unknownProcess created: C:\Users\user\Desktop\t.exe C:\Users\user\Desktop\t.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\t.exeProcess created: C:\Users\user\Desktop\t.exe C:\Users\user\Desktop\t.exeJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess created: C:\Users\user\Desktop\t.exe C:\Users\user\Desktop\t.exeJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: C:\Users\user\Desktop\t.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\t.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\t.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: t.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: t.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: 26.pdb source: t.exe, 00000000.00000002.555926455.000000000346E000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdb<2V2 H2_CorDllMainmscoree.dll source: t.exe
              Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdb source: t.exe

              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067BAE63 push es; retf 0_2_067BAE68
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067BAFB3 push es; ret 0_2_067BAFB4
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067BACEB push es; ret 0_2_067BACEC
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067BACBF push es; retf 0_2_067BACC0
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067BAB17 push es; iretd 0_2_067BAB18
              Source: C:\Users\user\Desktop\t.exeCode function: 0_2_067BB07F push es; iretd 0_2_067BB080
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0113DD7F push edi; retn 0000h3_2_0113DD81
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_06106FDC push eax; retf 3_2_06106FDD
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610B82D push es; ret 3_2_0610B870
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_0610B972 push edi; iretd 3_2_0610B973
              Source: initial sampleStatic PE information: section name: .text entropy: 7.64801179417

              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\t.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\t.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\t.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\t.exeWindow / User API: threadDelayed 961Jump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 5024Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 1864Thread sleep count: 31 > 30Jump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 1864Thread sleep count: 961 > 30Jump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -53688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -52594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -49188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -69750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -45094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -44188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -66000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -43500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -43094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -62532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -41094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -36094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -35688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -59782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -58906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -56094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -55906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -55688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -55000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -53906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -53000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -52782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -52094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -51406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -51000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -50094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -48720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -48282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -46876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -46282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -45782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -45594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -42876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -42406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -42188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exe TID: 4048Thread sleep time: -41500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\t.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\t.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\t.exeLast function: Thread delayed
              Source: t.exe, 00000003.00000002.952790924.0000000006250000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
              Source: C:\Users\user\Desktop\t.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01134632 LdrInitializeThunk,3_2_01134632
              Source: C:\Users\user\Desktop\t.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\t.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\t.exeMemory written: C:\Users\user\Desktop\t.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess created: C:\Users\user\Desktop\t.exe C:\Users\user\Desktop\t.exeJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess created: C:\Users\user\Desktop\t.exe C:\Users\user\Desktop\t.exeJump to behavior
              Source: C:\Users\user\Desktop\t.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Source: t.exe, 00000003.00000002.948437161.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: t.exe, 00000003.00000002.948437161.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: t.exe, 00000003.00000002.948437161.00000000015E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: t.exe, 00000003.00000002.948437161.00000000015E0000.00000002.00000001.sdmpBinary or memory string: =Program Managerb

              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Users\user\Desktop\t.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Users\user\Desktop\t.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\t.exeCode function: 3_2_01132130 GetUserNameW,3_2_01132130
              Source: C:\Users\user\Desktop\t.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\Desktop\t.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.557190814.0000000004488000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.555974166.0000000004210000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.946745136.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.948833983.0000000002C10000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.949208599.0000000002D1A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.556986028.0000000004415000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.554794400.0000000003210000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: t.exe PID: 316, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: t.exe PID: 2700, type: MEMORY
              Source: Yara matchFile source: 3.2.t.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\t.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal WLAN passwordsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
              Source: C:\Users\user\Desktop\t.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\t.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\t.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\t.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\t.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\t.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\t.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\t.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000003.00000002.948833983.0000000002C10000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: t.exe PID: 316, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.557190814.0000000004488000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.555974166.0000000004210000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.946745136.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.948833983.0000000002C10000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.949208599.0000000002D1A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.556986028.0000000004415000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.554794400.0000000003210000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: t.exe PID: 316, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: t.exe PID: 2700, type: MEMORY
              Source: Yara matchFile source: 3.2.t.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation221Winlogon Helper DLLProcess Injection112Software Packing3Credential Dumping2Virtualization/Sandbox Evasion13Application Deployment SoftwareEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools11Credentials in Registry1Process Discovery2Remote ServicesData from Local System2Exfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion13Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection112Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSecurity Software Discovery121Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery114Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 234304