Loading ...

Play interactive tourEdit tour

Analysis Report lNCyFjhn7M

Overview

General Information

Sample Name:lNCyFjhn7M (renamed file extension from none to exe)
Analysis ID:356766
MD5:1ad8213451de5daa4ad536cd9c70e9ce
SHA1:62c394dfc3094044454f0d25775ca87e6749787e
SHA256:152dabf84b039a8c1412d8dea323051ee96b1696c3e551a049801c8a320d23e7
Tags:AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • lNCyFjhn7M.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\lNCyFjhn7M.exe' MD5: 1AD8213451DE5DAA4AD536CD9C70E9CE)
    • lNCyFjhn7M.exe (PID: 7036 cmdline: C:\Users\user\Desktop\lNCyFjhn7M.exe MD5: 1AD8213451DE5DAA4AD536CD9C70E9CE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "E943pmspWkN", "URL: ": "https://femFzmplqt.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "RgZuUQv5z", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.lNCyFjhn7M.exe.3ec88a0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.lNCyFjhn7M.exe.3ec88a0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.lNCyFjhn7M.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.lNCyFjhn7M.exe.3d6bdd0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.lNCyFjhn7M.exe.3dc95f0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: lNCyFjhn7M.exe.7036.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "E943pmspWkN", "URL: ": "https://femFzmplqt.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "RgZuUQv5z", "From: ": ""}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: lNCyFjhn7M.exeMetadefender: Detection: 21%Perma Link
                      Source: lNCyFjhn7M.exeReversingLabs: Detection: 62%
                      Source: 1.2.lNCyFjhn7M.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: lNCyFjhn7M.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses new MSVCR DllsShow sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: lNCyFjhn7M.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: mscorrc.pdb source: lNCyFjhn7M.exe, 00000000.00000002.328365675.0000000004E90000.00000002.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.590216922.00000000012C0000.00000002.00000001.sdmp
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 4x nop then jmp 04E0BB61h
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: https://femFzmplqt.net
                      Source: global trafficTCP traffic: 192.168.2.6:49751 -> 66.70.204.222:587
                      Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: global trafficTCP traffic: 192.168.2.6:49751 -> 66.70.204.222:587
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_0117A09A recv,
                      Source: unknownDNS traffic detected: queries for: mail.hybridgroupco.com
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: http://cfWnht.com
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: https://femFzmplqt.net
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2541D03Bu002dC05Au002d4A3Bu002dB0FDu002d61EAF17A97E9u007d/u0034E1BA1C7u002d80DBu002d446Bu002d895Cu002d57E0865F0350.csLarge array initialization: .cctor: array initializer size 11963
                      .NET source code contains very large stringsShow sources
                      Source: lNCyFjhn7M.exe, Form1.csLong String: Length: 13656
                      Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, Form1.csLong String: Length: 13656
                      Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, Form1.csLong String: Length: 13656
                      Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, Form1.csLong String: Length: 13656
                      Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, Form1.csLong String: Length: 13656
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_0117B0BA NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_0117B089 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E03850
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E03648
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E0AF90
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E09F70
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E04529
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E04538
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E042F0
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E042DF
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E0424D
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E03638
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E09F61
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E00A28
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_04E00A18
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_012B4060
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_012BA27A
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_012B6B48
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_012B5244
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_012BA058
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_012B28E0
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_0515F158
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_05157B60
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_0515D768
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_05157290
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_05156498
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_05157AB2
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_05B70679
                      Source: lNCyFjhn7M.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamercGeguBNXNlIGogKUXwddetDKLGbJb.exe4 vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000000.00000000.321220967.0000000000628000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000000.00000002.328365675.0000000004E90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000001.00000002.589458599.0000000000978000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590216922.00000000012C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamercGeguBNXNlIGogKUXwddetDKLGbJb.exe4 vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590185619.0000000001280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exeBinary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: lNCyFjhn7M.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: lNCyFjhn7M.exe, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, Form1.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/2
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_0117AF3E AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_0117AF07 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lNCyFjhn7M.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: lNCyFjhn7M.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmpBinary or memory string: Select distinct emp_id as Employee_ID,names as Employee_Name,age as Age,gender as Gender,dob as Date_of_Birth,date as Date_of_Registration,title as Title,proffession as Proffession,contact as Contact,email as Email_Address,residence as Residence,mstatus as Martial_Status,username as User_Name,time as Time from employee order by dob;
                      Source: lNCyFjhn7M.exeBinary or memory string: SELECT `immun_id`, `at_birth`, `at_one_month`, `at_three_month`, `at_six_months`, `date`, `officer` FROM `baby_immunization`;
                      Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmpBinary or memory string: SELECT `childbirthid`, `nin`, `admissiondate`, `deiverydate`, `time_of_delivery`, `type_of_delivery`, `number_of_babies`, `delivery`, `healthofficer`, `compilication`, `vitimingiven`, `discahgredate`, `nextappointment` FROM `childbirth`;
                      Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmpBinary or memory string: SELECT `baby_id`, `name`, `time_of_birth`, `weight`, `body_parts_exam`, `gender1`, `skin_color`, `breast_feeding`, `cdofbaby_on_discharge2`, `name2`, `time_of_birth2`, `weight2`, `body_parts_exams2`, `gender2`, `skin_color2`, `breast_feeding2` FROM `baby`;
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: lNCyFjhn7M.exe, 00000001.00000002.591059491.0000000003012000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM Win32_Processor(>;n
                      Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmpBinary or memory string: Select distinct mm_id as MORTALITY_ID, cases as CASES_NUMBER,cause_of_death as CAUSE_OF_DEATH,time_of_death as TIME_OF_DEATH,date_of_death as DEATH_DATE from mortality order by date_of_death;
                      Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmpBinary or memory string: Select distinct `nin_id`, `admission_date`, `delivery_time`, `delivery_type`, `numberof_babies`, `healthofficer`, `complication`, `vitim_given`, `dischagre_date`, `nextappointment`, `address` from `mother`;
                      Source: lNCyFjhn7M.exeMetadefender: Detection: 21%
                      Source: lNCyFjhn7M.exeReversingLabs: Detection: 62%
                      Source: unknownProcess created: C:\Users\user\Desktop\lNCyFjhn7M.exe 'C:\Users\user\Desktop\lNCyFjhn7M.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: lNCyFjhn7M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: lNCyFjhn7M.exeStatic file information: File size 1058816 > 1048576
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: lNCyFjhn7M.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: mscorrc.pdb source: lNCyFjhn7M.exe, 00000000.00000002.328365675.0000000004E90000.00000002.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.590216922.00000000012C0000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: lNCyFjhn7M.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 0_2_00544C70 push 28060000h; retf 0000h
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_00894C70 push 28060000h; retf 0000h
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_05A441D8 push cs; retf
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_05A44164 push cs; retf
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_05A4424B push cs; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.44014806301

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
                      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (50).png
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.2c1f204.1.raw.unpack, type: UNPACKEDPE
                      Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFunction Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,memAlloc,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeWindow / User API: threadDelayed 693
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 7000Thread sleep time: -102800s >= -30000s
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 7024Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224Thread sleep count: 693 > 30
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224Thread sleep time: -20790000s >= -30000s
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeLast function: Thread delayed
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeCode function: 1_2_012B24F8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeMemory written: C:\Users\user\Desktop\lNCyFjhn7M.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeProcess created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.3d6bdd0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.3dc95f0.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\lNCyFjhn7M.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.3d6bdd0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.lNCyFjhn7M.exe.3dc95f0.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionAccess Token Manipulation1Disable or Modify Tools11OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Security Account ManagerSecurity Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSVirtualization/Sandbox Evasion13Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol111Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      lNCyFjhn7M.exe27%MetadefenderBrowse
                      lNCyFjhn7M.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.2.lNCyFjhn7M.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://femFzmplqt.net0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://cfWnht.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      hybridgroupco.com
                      66.70.204.222
                      truetrue
                        unknown
                        mail.hybridgroupco.com
                        unknown
                        unknowntrue
                          unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://femFzmplqt.nettrue
                          • Avira URL Cloud: safe
                          unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low
                          http://DynDns.comDynDNSlNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://cfWnht.comlNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%halNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziplNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csslNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmpfalse
                            high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            66.70.204.222
                            unknownCanada
                            16276OVHFRtrue

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:356766
                            Start date:23.02.2021
                            Start time:16:19:12
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 52s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:lNCyFjhn7M (renamed file extension from none to exe)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:22
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/1@1/2
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.104.139.180, 13.64.90.137, 40.88.32.150, 52.255.188.83, 23.211.6.115, 13.88.21.125, 8.248.131.254, 8.248.145.254, 8.248.115.254, 67.27.157.254, 67.27.157.126, 52.155.217.156, 51.103.5.159, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.104.144.132, 184.30.24.56
                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356766/sample/lNCyFjhn7M.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            16:20:00API Interceptor1017x Sleep call for process: lNCyFjhn7M.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            66.70.204.222Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                              KUmKV28Ffx.exeGet hashmaliciousBrowse
                                vWr4r97uMA.exeGet hashmaliciousBrowse
                                  6UYAC8WAoJ.exeGet hashmaliciousBrowse
                                    yTPzcGHfBU.exeGet hashmaliciousBrowse
                                      vJsYQ8IJVIyRNtZ.exeGet hashmaliciousBrowse
                                        SCAN G-0034905.EXEGet hashmaliciousBrowse
                                          TT swift copy.xlsxGet hashmaliciousBrowse
                                            RFQ_N0000000002.exeGet hashmaliciousBrowse
                                              SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                Advance import payment swift.xlsxGet hashmaliciousBrowse
                                                  Swift-Copy.exeGet hashmaliciousBrowse
                                                    6Tr3ZITOfx.exeGet hashmaliciousBrowse
                                                      Proforma-invoice.exeGet hashmaliciousBrowse
                                                        2101-0006N.exeGet hashmaliciousBrowse
                                                          Invoice-3990993.exeGet hashmaliciousBrowse
                                                            PARTS REQUEST SO_30005141.exeGet hashmaliciousBrowse
                                                              Yu2iMnAJBdOGPyv.exeGet hashmaliciousBrowse
                                                                CONTRACT AGREEMENT.exeGet hashmaliciousBrowse
                                                                  PARTS REQUEST SO_30005141.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    OVHFRProduct List.exeGet hashmaliciousBrowse
                                                                    • 144.217.69.193
                                                                    tEQjO7fbhJ.dllGet hashmaliciousBrowse
                                                                    • 37.187.115.122
                                                                    qRoUqXAvyz.dllGet hashmaliciousBrowse
                                                                    • 37.187.115.122
                                                                    v9tWEeYg4u.dllGet hashmaliciousBrowse
                                                                    • 37.187.115.122
                                                                    1sAKtAszhK.dllGet hashmaliciousBrowse
                                                                    • 37.187.115.122
                                                                    ClfwZpeLXt.dllGet hashmaliciousBrowse
                                                                    • 37.187.115.122
                                                                    svhost.exeGet hashmaliciousBrowse
                                                                    • 54.37.11.130
                                                                    SBll8nnAVc.dllGet hashmaliciousBrowse
                                                                    • 37.187.115.122
                                                                    SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                                                    • 51.68.21.188
                                                                    0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                                                    • 94.23.162.163
                                                                    SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                                                    • 51.68.21.186
                                                                    Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                                    • 198.27.88.111
                                                                    Quotation Reques.exeGet hashmaliciousBrowse
                                                                    • 51.83.43.226
                                                                    8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                                    • 51.68.21.186
                                                                    iKohUejteO.dllGet hashmaliciousBrowse
                                                                    • 37.187.115.122
                                                                    PO No. 104393019_pdf.exeGet hashmaliciousBrowse
                                                                    • 51.195.53.221
                                                                    nTqV6fxGXT.exeGet hashmaliciousBrowse
                                                                    • 51.254.175.184
                                                                    Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                                                                    • 66.70.204.222
                                                                    File Downloader [14.5].apkGet hashmaliciousBrowse
                                                                    • 51.75.61.103
                                                                    PO_210222.exeGet hashmaliciousBrowse
                                                                    • 213.186.33.5

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lNCyFjhn7M.exe.log
                                                                    Process:C:\Users\user\Desktop\lNCyFjhn7M.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):664
                                                                    Entropy (8bit):5.288448637977022
                                                                    Encrypted:false
                                                                    SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                                    MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                                    SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                                    SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                                    SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.345872374885046
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:lNCyFjhn7M.exe
                                                                    File size:1058816
                                                                    MD5:1ad8213451de5daa4ad536cd9c70e9ce
                                                                    SHA1:62c394dfc3094044454f0d25775ca87e6749787e
                                                                    SHA256:152dabf84b039a8c1412d8dea323051ee96b1696c3e551a049801c8a320d23e7
                                                                    SHA512:52e7b9c4458d0629599d9153c529840fa02100e20e4045b79be9647cc535defed5b7ba58013e66b59925e55b1041f96331e2a5d135c9fbb942754b48d148779a
                                                                    SSDEEP:24576:oeUFmaVji138QK0okoUXWX0f0QuTACN2N8T:w5sMyAN0f0vZ
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^Q3`..............P..F...........e... ........@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:68c8d0f0ccccf0d6

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4e658e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x6033515E [Mon Feb 22 06:38:22 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v2.0.50727
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe653c0x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe80000x1dd0c.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1060000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xe45940xe4600False0.703842321771data7.44014806301IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xe80000x1dd0c0x1de00False0.439788179916data5.78915682536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x1060000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0xe82200x918dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                    RT_ICON0xf13b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 16777215, next used block 16777215
                                                                    RT_ICON0xf39580x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 16777215, next used block 16777215
                                                                    RT_ICON0xf4a000x468GLS_BINARY_LSB_FIRST
                                                                    RT_ICON0xf4e680x10828data
                                                                    RT_GROUP_ICON0x1056900x4cdata
                                                                    RT_GROUP_ICON0x1056dc0x14data
                                                                    RT_VERSION0x1056f00x42edata
                                                                    RT_MANIFEST0x105b200x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightCopyright 2009 by Dan Ariely
                                                                    Assembly Version30.4.0.0
                                                                    InternalNameStaticIndexRangePartitionForIList.exe
                                                                    FileVersion30.4.0.0
                                                                    CompanyNameBook by Dan Ariely
                                                                    LegalTrademarksHarperCollins
                                                                    CommentsHarperCollins
                                                                    ProductNamePredictably Irrational
                                                                    ProductVersion30.4.0.0
                                                                    FileDescriptionPredictably Irrational
                                                                    OriginalFilenameStaticIndexRangePartitionForIList.exe

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Feb 23, 2021 16:21:31.318799973 CET49751587192.168.2.666.70.204.222
                                                                    Feb 23, 2021 16:21:31.456989050 CET5874975166.70.204.222192.168.2.6
                                                                    Feb 23, 2021 16:21:31.457139969 CET49751587192.168.2.666.70.204.222
                                                                    Feb 23, 2021 16:21:31.665958881 CET49751587192.168.2.666.70.204.222
                                                                    Feb 23, 2021 16:21:31.718816996 CET5874975166.70.204.222192.168.2.6
                                                                    Feb 23, 2021 16:21:31.719008923 CET49751587192.168.2.666.70.204.222
                                                                    Feb 23, 2021 16:21:31.803447008 CET5874975166.70.204.222192.168.2.6
                                                                    Feb 23, 2021 16:21:31.803639889 CET49751587192.168.2.666.70.204.222
                                                                    Feb 23, 2021 16:21:31.803764105 CET5874975166.70.204.222192.168.2.6
                                                                    Feb 23, 2021 16:21:31.803836107 CET49751587192.168.2.666.70.204.222

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Feb 23, 2021 16:19:52.792135000 CET5837753192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:52.820775986 CET5507453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:52.842531919 CET53583778.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:19:52.872036934 CET53550748.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:19:53.203574896 CET5451353192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:53.252281904 CET53545138.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:19:54.607425928 CET6204453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:54.658279896 CET53620448.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:19:55.402612925 CET6379153192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:55.454396963 CET53637918.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:19:56.085376024 CET6426753192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:56.155441046 CET53642678.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:19:56.271311998 CET4944853192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:56.323894024 CET53494488.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:19:57.539115906 CET6034253192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:57.590812922 CET53603428.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:19:58.791845083 CET6134653192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:19:58.840635061 CET53613468.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:00.154516935 CET5177453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:00.205974102 CET53517748.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:02.735378027 CET5602353192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:02.792649031 CET53560238.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:03.938746929 CET5838453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:03.990463972 CET53583848.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:05.118819952 CET6026153192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:05.170947075 CET53602618.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:06.277662992 CET5606153192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:06.328031063 CET53560618.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:07.139245987 CET5833653192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:07.190906048 CET53583368.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:08.570271969 CET5378153192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:08.619371891 CET53537818.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:09.345731974 CET5406453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:09.397114992 CET53540648.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:10.477902889 CET5281153192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:10.526721954 CET53528118.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:11.701636076 CET5529953192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:11.753155947 CET53552998.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:13.449300051 CET6374553192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:13.497988939 CET53637458.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:15.916193962 CET5005553192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:15.967675924 CET53500558.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:18.307005882 CET6137453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:18.367248058 CET53613748.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:29.234811068 CET5033953192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:29.286530018 CET53503398.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:48.007652044 CET6330753192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:48.076380968 CET53633078.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:48.227662086 CET4969453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:48.282083988 CET53496948.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:49.480954885 CET5498253192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:49.557606936 CET53549828.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:50.114592075 CET5001053192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:50.176856995 CET53500108.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:50.295696020 CET6371853192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:50.352776051 CET53637188.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:50.758799076 CET6211653192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:50.837150097 CET53621168.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:51.097122908 CET6381653192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:51.171380997 CET53638168.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:51.273034096 CET5501453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:51.336597919 CET53550148.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:51.807199001 CET6220853192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:51.869164944 CET53622088.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:52.487684965 CET5757453192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:52.552273989 CET53575748.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:53.173250914 CET5181853192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:53.233581066 CET53518188.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:54.306849003 CET5662853192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:54.361346960 CET53566288.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:55.820264101 CET6077853192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:55.884043932 CET53607788.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:56.319617987 CET5379953192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:56.381660938 CET53537998.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:20:56.967324972 CET5468353192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:20:57.028439045 CET53546838.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:21:26.924931049 CET5932953192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:21:26.973581076 CET53593298.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:21:27.380459070 CET6402153192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:21:27.452419043 CET53640218.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:21:31.233412981 CET5612953192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:21:31.303832054 CET53561298.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:21:33.438165903 CET5817753192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:21:33.501554966 CET53581778.8.8.8192.168.2.6
                                                                    Feb 23, 2021 16:21:51.188939095 CET5070053192.168.2.68.8.8.8
                                                                    Feb 23, 2021 16:21:51.237684011 CET53507008.8.8.8192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Feb 23, 2021 16:21:31.233412981 CET192.168.2.68.8.8.80x4a25Standard query (0)mail.hybridgroupco.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Feb 23, 2021 16:21:31.303832054 CET8.8.8.8192.168.2.60x4a25No error (0)mail.hybridgroupco.comhybridgroupco.comCNAME (Canonical name)IN (0x0001)
                                                                    Feb 23, 2021 16:21:31.303832054 CET8.8.8.8192.168.2.60x4a25No error (0)hybridgroupco.com66.70.204.222A (IP address)IN (0x0001)

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Feb 23, 2021 16:21:31.718816996 CET5874975166.70.204.222192.168.2.6220-server.wlcserver.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 19:21:31 +0400
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    Feb 23, 2021 16:21:31.803447008 CET5874975166.70.204.222192.168.2.6421 server.wlcserver.com lost input connection

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Start time:16:19:59
                                                                    Start date:23/02/2021
                                                                    Path:C:\Users\user\Desktop\lNCyFjhn7M.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\lNCyFjhn7M.exe'
                                                                    Imagebase:0x540000
                                                                    File size:1058816 bytes
                                                                    MD5 hash:1AD8213451DE5DAA4AD536CD9C70E9CE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Start time:16:20:00
                                                                    Start date:23/02/2021
                                                                    Path:C:\Users\user\Desktop\lNCyFjhn7M.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\lNCyFjhn7M.exe
                                                                    Imagebase:0x890000
                                                                    File size:1058816 bytes
                                                                    MD5 hash:1AD8213451DE5DAA4AD536CD9C70E9CE
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >