Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 1g1NLI6i33.exe

Overview

General Information

Sample Name:1g1NLI6i33.exe
Analysis ID:404206
MD5:d0a8c2403c51ea96d820dcd443f1aaab
SHA1:825a057b9218a956a632bdd563056be37bfc0c10
SHA256:0c397ebc470f59440b6a317a88a2592c0b05057cea1ff2f31b9fdde549971aee
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 1g1NLI6i33.exe (PID: 7020 cmdline: 'C:\Users\user\Desktop\1g1NLI6i33.exe' MD5: D0A8C2403C51EA96D820DCD443F1AAAB)
    • 1g1NLI6i33.exe (PID: 7060 cmdline: 'C:\Users\user\Desktop\1g1NLI6i33.exe' MD5: D0A8C2403C51EA96D820DCD443F1AAAB)
  • vsbqyetogexvl.exe (PID: 6712 cmdline: 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe' MD5: D0A8C2403C51EA96D820DCD443F1AAAB)
    • vsbqyetogexvl.exe (PID: 900 cmdline: 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe' MD5: D0A8C2403C51EA96D820DCD443F1AAAB)
  • vsbqyetogexvl.exe (PID: 6956 cmdline: 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe' MD5: D0A8C2403C51EA96D820DCD443F1AAAB)
    • vsbqyetogexvl.exe (PID: 6584 cmdline: 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe' MD5: D0A8C2403C51EA96D820DCD443F1AAAB)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "elliech@orlonimages.comchidiebere2419us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.917550398.0000000004992000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.915225171.00000000034E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.703927470.00000000006CA000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.1g1NLI6i33.exe.23d0000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.1g1NLI6i33.exe.24f0000.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                7.2.vsbqyetogexvl.exe.6e6240.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  7.2.vsbqyetogexvl.exe.4970000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    7.2.vsbqyetogexvl.exe.415058.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 46 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 7.1.vsbqyetogexvl.exe.415058.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "elliech@orlonimages.comchidiebere2419us2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeReversingLabs: Detection: 42%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 1g1NLI6i33.exeVirustotal: Detection: 28%Perma Link
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: 1g1NLI6i33.exeJoe Sandbox ML: detected
                      Source: 7.2.vsbqyetogexvl.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.1g1NLI6i33.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.1.vsbqyetogexvl.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 7.2.vsbqyetogexvl.exe.49b0000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.1g1NLI6i33.exe.4990000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.2.vsbqyetogexvl.exe.4960000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.1.vsbqyetogexvl.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 9.2.vsbqyetogexvl.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeUnpacked PE file: 1.2.1g1NLI6i33.exe.4990000.5.unpack
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeUnpacked PE file: 9.2.vsbqyetogexvl.exe.4960000.6.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeUnpacked PE file: 1.2.1g1NLI6i33.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeUnpacked PE file: 7.2.vsbqyetogexvl.exe.400000.1.unpack
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeUnpacked PE file: 9.2.vsbqyetogexvl.exe.400000.1.unpack
                      Source: 1g1NLI6i33.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: 1g1NLI6i33.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wntdll.pdbUGP source: 1g1NLI6i33.exe, 00000000.00000003.645643338.00000000033B0000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000006.00000003.682137775.0000000003240000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000008.00000003.695201365.0000000003200000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: 1g1NLI6i33.exe, 00000000.00000003.645643338.00000000033B0000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000006.00000003.682137775.0000000003240000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000008.00000003.695201365.0000000003200000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_004027A1 FindFirstFileA,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00404A29 FindFirstFileExW,
                      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 208.91.199.224:587
                      Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                      Source: global trafficTCP traffic: 192.168.2.4:49768 -> 208.91.199.224:587
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                      Source: 1g1NLI6i33.exe, 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: vsbqyetogexvl.exe, 00000009.00000002.914620731.000000000280A000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: http://1UVMV9Y76P8yRzwJn.net
                      Source: vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 1g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: http://kVHmOE.com
                      Source: 1g1NLI6i33.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: 1g1NLI6i33.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: 1g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                      Source: 1g1NLI6i33.exe, 00000001.00000002.914841865.00000000028A5000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.914664635.000000000283A000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: 1g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: vsbqyetogexvl.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: 1g1NLI6i33.exe, 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, u003cPrivateImplementationDetailsu003eu007bC17428B6u002dFFF5u002d4075u002dA591u002d98F8482E88C5u007d/B3460D8Fu002d441Du002d4B0Du002d9716u002d48CAFB425886.csLarge array initialization: .cctor: array initializer size 11945
                      Source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, u003cPrivateImplementationDetailsu003eu007bC17428B6u002dFFF5u002d4075u002dA591u002d98F8482E88C5u007d/B3460D8Fu002d441Du002d4B0Du002d9716u002d48CAFB425886.csLarge array initialization: .cctor: array initializer size 11945
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_00406925
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_0040A2A5
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_0069B968
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_0069311E
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00692618
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00695B20
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00691FE0
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_006980BE
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00697D67
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00697DAF
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_0069FA58
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00697E11
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_009F5801
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_009FA448
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_009F0040
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_009F4330
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_009F2020
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_009FED6B
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_009FAB91
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_0040A2A5
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00AD46A0
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00AD3CF6
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00AD4690
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_0040A2A5
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_0040A2A5
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00480888
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00486890
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_0048D140
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_0048AA40
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00484B38
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_004823E0
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00488098
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_004855C8
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_0048AA8A
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_004A2618
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_004A1FE0
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_004AB918
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_004AFA08
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00880040
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00882020
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_0088A448
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_0088B97A
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_008842E0
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_0088ABA0
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00B146A0
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00B145B0
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: String function: 00401ED0 appears 69 times
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: String function: 0040569E appears 54 times
                      Source: 1g1NLI6i33.exe, 00000000.00000003.650068345.0000000003386000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1g1NLI6i33.exe
                      Source: 1g1NLI6i33.exeBinary or memory string: OriginalFilename vs 1g1NLI6i33.exe
                      Source: 1g1NLI6i33.exe, 00000001.00000002.917550398.0000000004992000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesaxoJzjHMNvhkvKVXjRlZ.exe4 vs 1g1NLI6i33.exe
                      Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 1g1NLI6i33.exe
                      Source: 1g1NLI6i33.exe, 00000001.00000002.918814474.0000000005800000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 1g1NLI6i33.exe
                      Source: 1g1NLI6i33.exe, 00000001.00000002.911420720.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 1g1NLI6i33.exe
                      Source: 1g1NLI6i33.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/13@2/1
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtnJump to behavior
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile created: C:\Users\user\AppData\Local\Temp\nsg55C0.tmpJump to behavior
                      Source: 1g1NLI6i33.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: 1g1NLI6i33.exeVirustotal: Detection: 28%
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile read: C:\Users\user\Desktop\1g1NLI6i33.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\1g1NLI6i33.exe 'C:\Users\user\Desktop\1g1NLI6i33.exe'
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess created: C:\Users\user\Desktop\1g1NLI6i33.exe 'C:\Users\user\Desktop\1g1NLI6i33.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess created: C:\Users\user\Desktop\1g1NLI6i33.exe 'C:\Users\user\Desktop\1g1NLI6i33.exe'
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: 1g1NLI6i33.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wntdll.pdbUGP source: 1g1NLI6i33.exe, 00000000.00000003.645643338.00000000033B0000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000006.00000003.682137775.0000000003240000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000008.00000003.695201365.0000000003200000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: 1g1NLI6i33.exe, 00000000.00000003.645643338.00000000033B0000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000006.00000003.682137775.0000000003240000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000008.00000003.695201365.0000000003200000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeUnpacked PE file: 1.2.1g1NLI6i33.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeUnpacked PE file: 7.2.vsbqyetogexvl.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeUnpacked PE file: 9.2.vsbqyetogexvl.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeUnpacked PE file: 1.2.1g1NLI6i33.exe.4990000.5.unpack
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeUnpacked PE file: 9.2.vsbqyetogexvl.exe.4960000.6.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeUnpacked PE file: 1.2.1g1NLI6i33.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeUnpacked PE file: 7.2.vsbqyetogexvl.exe.400000.1.unpack
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeUnpacked PE file: 9.2.vsbqyetogexvl.exe.400000.1.unpack
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA85AB push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA8D8B push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA899B push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA917B push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA9033 push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA8463 push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA8C43 push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA8853 push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA87A3 push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA83B3 push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA8F83 push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA8B93 push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AAE35F push edx; iretd
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AAEEDB push edi; retf
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA922B push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA8E3B push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA8A4B push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_3_05AA865B push esp; ret
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00401F16 push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00401F16 push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_00401F16 push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00401F16 push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_004A7E3F push edi; retn 0000h
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeFile created: C:\Users\user\AppData\Local\Temp\nsu90B8.tmp\jupf00qz2dn.dllJump to dropped file
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile created: C:\Users\user\AppData\Local\Temp\nsb55F1.tmp\jupf00qz2dn.dllJump to dropped file
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeFile created: C:\Users\user\AppData\Local\Temp\nsqAEDE.tmp\jupf00qz2dn.dllJump to dropped file
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yhtskiwswufgckJump to behavior
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yhtskiwswufgckJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\1g1nli6i33.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG607.tmpJump to behavior
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeWindow / User API: threadDelayed 7690
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeWindow / User API: threadDelayed 2147
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeWindow / User API: threadDelayed 671
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeWindow / User API: threadDelayed 9152
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exe TID: 6436Thread sleep time: -23058430092136925s >= -30000s
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exe TID: 6440Thread sleep count: 7690 > 30
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exe TID: 6440Thread sleep count: 2147 > 30
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 6032Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 6948Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 4972Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 6180Thread sleep count: 671 > 30
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 6180Thread sleep count: 9152 > 30
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe TID: 4972Thread sleep count: 42 > 30
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_004027A1 FindFirstFileA,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00404A29 FindFirstFileExW,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeThread delayed: delay time: 922337203685477
                      Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.705087423.0000000005280000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918044446.00000000051F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.705087423.0000000005280000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918044446.00000000051F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.705087423.0000000005280000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918044446.00000000051F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: 1g1NLI6i33.exe, 00000001.00000002.919212773.0000000005A90000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                      Source: 1g1NLI6i33.exe, 00000001.00000002.918245692.00000000051F0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.705087423.0000000005280000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918044446.00000000051F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00480888 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_10001000 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 6_2_10001000 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 6_2_0304220D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 6_2_03041F48 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_004035F1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_004035F1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 8_2_023D220D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 8_2_023D1F48 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_004035F1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_004067FE GetProcessHeap,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_10001509 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00401E1D SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 6_2_10001509 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00401E1D SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_00401E1D SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 7_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00401E1D SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeCode function: 9_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeSection loaded: unknown target: C:\Users\user\Desktop\1g1NLI6i33.exe protection: execute and read and write
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe protection: execute and read and write
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe protection: execute and read and write
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeProcess created: C:\Users\user\Desktop\1g1NLI6i33.exe 'C:\Users\user\Desktop\1g1NLI6i33.exe'
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeProcess created: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe 'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                      Source: 1g1NLI6i33.exe, 00000001.00000002.913126222.0000000000DE0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913739090.0000000000F20000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: 1g1NLI6i33.exe, 00000001.00000002.913126222.0000000000DE0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913739090.0000000000F20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: 1g1NLI6i33.exe, 00000001.00000002.913126222.0000000000DE0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913739090.0000000000F20000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: 1g1NLI6i33.exe, 00000001.00000002.913126222.0000000000DE0000.00000002.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913739090.0000000000F20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_0040208D cpuid
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.917550398.0000000004992000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.915225171.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.703927470.00000000006CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.915437676.0000000003551000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.692221014.0000000003060000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000001.699094253.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.704217438.0000000003531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.916955385.0000000004962000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.703400223.0000000002430000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.704708468.0000000004970000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.912144653.00000000005D9000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.916873369.0000000004920000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.912048818.00000000004E9000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000001.686936007.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.914107097.00000000024F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.703482798.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.911491892.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.704751452.00000000049B2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.911383328.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.654628131.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1g1NLI6i33.exe PID: 7060, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 6584, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 6712, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 900, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 6956, type: MEMORY
                      Source: Yara matchFile source: 0.2.1g1NLI6i33.exe.23d0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.24f0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.6e6240.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.4970000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1g1NLI6i33.exe.23e1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.1.vsbqyetogexvl.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vsbqyetogexvl.exe.3060000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.4920000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.3535530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.3555530.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vsbqyetogexvl.exe.2430000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1g1NLI6i33.exe.23d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.34e5530.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.4920000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.3535530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vsbqyetogexvl.exe.2441458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.1.vsbqyetogexvl.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.1.vsbqyetogexvl.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.6e6240.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.34e5530.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vsbqyetogexvl.exe.3071458.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.1.vsbqyetogexvl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.5f91f8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.49b0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vsbqyetogexvl.exe.3060000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.504600.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.5f91f8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.504600.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vsbqyetogexvl.exe.3071458.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vsbqyetogexvl.exe.2430000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.4970000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1g1NLI6i33.exe.23e1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.3555530.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.24f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vsbqyetogexvl.exe.2441458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.1.vsbqyetogexvl.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.1.vsbqyetogexvl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.400000.1.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\1g1NLI6i33.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1g1NLI6i33.exe PID: 7060, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 6584, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 900, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.917550398.0000000004992000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.915225171.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.703927470.00000000006CA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.915437676.0000000003551000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.692221014.0000000003060000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000001.699094253.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.704217438.0000000003531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.916955385.0000000004962000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.703400223.0000000002430000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.704708468.0000000004970000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.912144653.00000000005D9000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.916873369.0000000004920000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.912048818.00000000004E9000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000001.686936007.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.914107097.00000000024F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.703482798.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.911491892.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.704751452.00000000049B2000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.911383328.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.654628131.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1g1NLI6i33.exe PID: 7060, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 6584, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 6712, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 900, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vsbqyetogexvl.exe PID: 6956, type: MEMORY
                      Source: Yara matchFile source: 0.2.1g1NLI6i33.exe.23d0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.24f0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.6e6240.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.4970000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1g1NLI6i33.exe.23e1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.1.vsbqyetogexvl.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vsbqyetogexvl.exe.3060000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.4920000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.3535530.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.3555530.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vsbqyetogexvl.exe.2430000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1g1NLI6i33.exe.23d0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.34e5530.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.4920000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.3535530.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vsbqyetogexvl.exe.2441458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.1.vsbqyetogexvl.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.1.vsbqyetogexvl.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.6e6240.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.34e5530.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vsbqyetogexvl.exe.3071458.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.1.vsbqyetogexvl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.5f91f8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.49b0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vsbqyetogexvl.exe.3060000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.504600.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.4990000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.5f91f8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.504600.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.vsbqyetogexvl.exe.3071458.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.4960000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vsbqyetogexvl.exe.2430000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.vsbqyetogexvl.exe.4970000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1g1NLI6i33.exe.23e1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.3555530.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.1g1NLI6i33.exe.24f0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.vsbqyetogexvl.exe.2441458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.1.vsbqyetogexvl.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.1.vsbqyetogexvl.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.vsbqyetogexvl.exe.400000.1.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Access Token Manipulation1Disable or Modify Tools1OS Credential Dumping2System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information11Credentials in Registry1File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery127SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing31NTDSQuery Registry1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsSecurity Software Discovery241SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion141Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404206 Sample: 1g1NLI6i33.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 31 us2.smtp.mailhostbox.com 2->31 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 2 other signatures 2->51 7 1g1NLI6i33.exe 1 21 2->7         started        11 vsbqyetogexvl.exe 17 2->11         started        13 vsbqyetogexvl.exe 17 2->13         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\vsbqyetogexvl.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\...\jupf00qz2dn.dll, PE32 7->25 dropped 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (creates a PE file in dynamic memory) 7->55 57 Detected unpacking (overwrites its own PE header) 7->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->59 15 1g1NLI6i33.exe 2 7->15         started        27 C:\Users\user\AppData\...\jupf00qz2dn.dll, PE32 11->27 dropped 61 Multi AV Scanner detection for dropped file 11->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->63 65 Machine Learning detection for dropped file 11->65 19 vsbqyetogexvl.exe 11->19         started        29 C:\Users\user\AppData\...\jupf00qz2dn.dll, PE32 13->29 dropped 67 Maps a DLL or memory area into another process 13->67 21 vsbqyetogexvl.exe 2 13->21         started        signatures6 process7 dnsIp8 33 us2.smtp.mailhostbox.com 208.91.199.224, 49768, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->33 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->35 37 Moves itself to temp directory 15->37 39 Tries to steal Mail credentials (via file access) 15->39 41 Tries to harvest and steal ftp login credentials 21->41 43 Tries to harvest and steal browser information (history, passwords, etc) 21->43 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      1g1NLI6i33.exe29%VirustotalBrowse
                      1g1NLI6i33.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe43%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.0.vsbqyetogexvl.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      8.0.vsbqyetogexvl.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      0.2.1g1NLI6i33.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      7.2.vsbqyetogexvl.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      1.0.1g1NLI6i33.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      6.2.vsbqyetogexvl.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      1.2.1g1NLI6i33.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      7.1.vsbqyetogexvl.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      7.2.vsbqyetogexvl.exe.49b0000.5.unpack100%AviraTR/Spy.Gen8Download File
                      0.0.1g1NLI6i33.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      1.2.1g1NLI6i33.exe.4990000.5.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.1g1NLI6i33.exe.30c0000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.vsbqyetogexvl.exe.4960000.6.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.vsbqyetogexvl.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      9.0.vsbqyetogexvl.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      8.2.vsbqyetogexvl.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
                      9.1.vsbqyetogexvl.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      9.2.vsbqyetogexvl.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://1UVMV9Y76P8yRzwJn.net0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://kVHmOE.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      		208.91.199.224
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#1g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.11g1NLI6i33.exe, 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://ocsp.sectigo.com0A1g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://DynDns.comDynDNSvsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://sectigo.com/CPS01g1NLI6i33.exe, 00000001.00000002.914864176.00000000028AD000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.918526939.0000000005A95000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://nsis.sf.net/NSIS_Error1g1NLI6i33.exefalse
                          		high
                          http://1UVMV9Y76P8yRzwJn.netvsbqyetogexvl.exe, 00000009.00000002.914620731.000000000280A000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorError1g1NLI6i33.exefalse
                            		high
                            http://us2.smtp.mailhostbox.com1g1NLI6i33.exe, 00000001.00000002.914841865.00000000028A5000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.914664635.000000000283A000.00000004.00000001.sdmpfalse
                              		high
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha1g1NLI6i33.exe, 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, vsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvsbqyetogexvl.exefalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://kVHmOE.comvsbqyetogexvl.exe, 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              208.91.199.224
                              		us2.smtp.mailhostbox.comUnited States
                              		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                              General Information

                              Joe Sandbox Version:32.0.0 Black Diamond
                              Analysis ID:404206
                              Start date:04.05.2021
                              Start time:19:54:48
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 12m 35s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:1g1NLI6i33.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:23
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@9/13@2/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 20.6% (good quality ratio 19.1%)
                              • Quality average: 77.8%
                              • Quality standard deviation: 30.7%
                              HCA Information:
                              • Successful, ratio: 92%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Excluded IPs from analysis (whitelisted): 20.82.210.154, 131.253.33.200, 13.107.22.200, 52.147.198.201, 104.43.193.48, 92.122.145.220, 13.88.21.125, 104.43.139.144, 92.122.213.247, 92.122.213.194, 52.155.217.156, 8.241.78.126, 8.241.82.254, 8.241.126.121, 8.241.88.254, 8.241.89.254, 20.54.26.129, 40.64.100.89
                              • Excluded domains from analysis (whitelisted): mw1eap.displaycatalog.md.mp.microsoft.com.akadns.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, consumerrp-displaycatalog-aks2eap-uswest.md.mp.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, displaycatalog-uswesteap.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              19:55:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yhtskiwswufgck C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                              19:55:46API Interceptor697x Sleep call for process: 1g1NLI6i33.exe modified
                              19:55:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yhtskiwswufgck C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                              19:55:50API Interceptor569x Sleep call for process: vsbqyetogexvl.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              208.91.199.224PO.xlsxGet hashmaliciousBrowse
                                Purchase Orde.pdf.exeGet hashmaliciousBrowse
                                  LM Approved Invoice-03-05-2021.docGet hashmaliciousBrowse
                                    REQUEST FOR PRICE QUOTE - URGENT.exeGet hashmaliciousBrowse
                                      purchace order.exeGet hashmaliciousBrowse
                                        Xerox Scan_07122020181109.exeGet hashmaliciousBrowse
                                          Payment Advice Note from 30.04.2021 to 608760.exeGet hashmaliciousBrowse
                                            Quotation-27-04-2021_PDF.exeGet hashmaliciousBrowse
                                              REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                Sales order 191923.exeGet hashmaliciousBrowse
                                                  NEW ORDER.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.Trojan.PackedNET.686.5407.exeGet hashmaliciousBrowse
                                                      Order Items.exeGet hashmaliciousBrowse
                                                        SecuriteInfo.com.Trojan.Win32.Save.a.25790.exeGet hashmaliciousBrowse
                                                          hh$$$.exeGet hashmaliciousBrowse
                                                            RApK2RmjFR.exeGet hashmaliciousBrowse
                                                              PO#5300008762.exeGet hashmaliciousBrowse
                                                                35yLPwVr54.exeGet hashmaliciousBrowse
                                                                  HTC-13051989.exeGet hashmaliciousBrowse
                                                                    DHL In-TrTransit Notification, Reference Number.exeGet hashmaliciousBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      us2.smtp.mailhostbox.comMlj6rE49Bf.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      DHL Shipment Delivery Notification.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      PO.xlsxGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      Order Request .pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      QuoteXrequestX-DAX31312.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      P I.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      LM Approved Invoice-04-05-2021.docGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      Purchase Orde.pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      LM Approved Invoice-03-05-2021.docGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      REQUEST FOR PRICE QUOTE - URGENT.pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      razi.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      Product Sample.xlsxGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      RQF_001.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      REQUEST FOR PRICE QUOTE - URGENT.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      Project Enquiry - KHI To LSG.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      quotation pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      RFQ.docGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      YdenPtYdbt.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      LM Approved Invoice-02-05-2021.docGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      KJ29joA7RS.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      PUBLIC-DOMAIN-REGISTRYUSMlj6rE49Bf.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      DHL Shipment Delivery Notification.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      PO.xlsxGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      Order Request .pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      QuoteXrequestX-DAX31312.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      items.docGet hashmaliciousBrowse
                                                                      • 162.215.241.145
                                                                      P I.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      LM Approved Invoice-04-05-2021.docGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      Purchase Orde.pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      LM Approved Invoice-03-05-2021.docGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                      • 209.99.16.216
                                                                      REQUEST FOR PRICE QUOTE - URGENT.pdf.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      7A124B54.xlsmGet hashmaliciousBrowse
                                                                      • 119.18.52.7
                                                                      Tree Top.htmlGet hashmaliciousBrowse
                                                                      • 208.91.199.242
                                                                      razi.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223
                                                                      af8241fb_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                      • 162.215.241.145
                                                                      Product Sample.xlsxGet hashmaliciousBrowse
                                                                      • 208.91.199.225
                                                                      RQF_001.exeGet hashmaliciousBrowse
                                                                      • 208.91.198.143
                                                                      REQUEST FOR PRICE QUOTE - URGENT.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.224
                                                                      Project Enquiry - KHI To LSG.exeGet hashmaliciousBrowse
                                                                      • 208.91.199.223

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Temp\04v480yduj
                                                                      Process:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):296960
                                                                      Entropy (8bit):7.999373643135451
                                                                      Encrypted:true
                                                                      SSDEEP:6144:XE/JlF7uLlUemo12UiBuF/3K6MCgCeSMZR/B1Rhmjs1v+9A:g97ulmq2125MHCM1Z1v+9A
                                                                      MD5:52DE7375ECF6FDC72E9B19A88433E615
                                                                      SHA1:424EC30B0A0F389DBE3A529005BC68E62F21E129
                                                                      SHA-256:A57F3187F23A8A700559ABA22514635A044B28EE740E4333D80340EDBE26EF3A
                                                                      SHA-512:41E7CF174DFCFFCABCBF599885FF0FF54B0BE83A5D48FCA477E33CFBCBF156013EFF57A0CFCC7087592BD3D2C962ADC1C4809837B4F2951D527D8E2D828E7C76
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: R...|..>..V..eP..#.=.....HH..ZJd.....t.1.p....9i.!...V.?X.....h...j.%.V7..$v<......|..W.?}".&.B;p......T.WH.|".~............oa..9.......d.x.U......zS.v...8D.Nvu.2...X$.POGy.<..2."....A..i.....8.5..V...6=...E...nd.....~V...h.......0;9..!...[.u,...7.&..@..;......,k.....".[..dn-4..<.IL.F.HY.G6..y5..!.M0J.8Bwy(.5.s....M..{.;~..#...4*.,.... F..s.~A.....o.bT.......v..x......F..~.....!.bR.Iy.}PKB..NJ........".O>...#L..T..J.T.h.p_...`....N...... .D..'.W.$C.).~U..j.YS.e.(...BL.8..%....&.+...;.t.hk.+..u.gq....x.$jj{... -.?.....#..G......0s..-.O.W..V.0.c..c..L&.x....nB....n=........'*b.B...s.Z.2..F..+aY.vg...B.>X......Yd.l..?../O...J.=.^t.G.........B.......<....Q.E.0.Q...r.4..,e.6.U.Z.nZ..N.T[p{hC.G...-......)...f@V"....n.u.[..6tHB..?..E$.9...=`..aK.#9b[O.........6..0...A..'..18.G./.3.K.&...8o...u.........mpO@]...i.t.x......5..T..z[.s&tU_..g.\.$n...u..3..P...7...H..]..p.r[..x.0........Ke.s.AQ."$H..."....JJ...(."HD`...L.....B..%FQkfW..^P>=;
                                                                      C:\Users\user\AppData\Local\Temp\161f8ahd30a3uiifxj4
                                                                      Process:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):9221
                                                                      Entropy (8bit):7.8407978891438175
                                                                      Encrypted:false
                                                                      SSDEEP:192:utXU91dNf7liMmG4N0TlWxxQ2VCAErhMUlMBu3XEu3XEu3XEu3P:I4LylNM0zCAglMBunnnf
                                                                      MD5:4993BD43E04A3A15F927AF54BFD67749
                                                                      SHA1:14BC0147D9957452E8FC8E2ABA2290161DE5A36E
                                                                      SHA-256:1EA6ACCD7C8BAA930BF4B127FFF9C2B8493D86789D2F4C8EAEE7A2F1849AEA89
                                                                      SHA-512:F9480747D29D4B249CC27FCA2471AE62B99670F221A9996C15798351B437F30A84DF6CE10BD3318EB50EDE467FCF4B4115F3293C130E614D41DEAB6676E25527
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: /.;...............t,..z..) ........9..4.90...$B..$........&..p..p......a..e..O...t..r.0....u....(D...t..x.>.).M..M..Q...H..J...'.A..G. J.<.`..`....=.Q..U."C.2.T..R.@...U..o.8`...dQ.h.....m0.m..u...h..z.....q2.w.0~.....;.....t..u=..P..P..IC..H...E..O.8[D..G...H..Z..SS..^+..QB.U..{`..]9..T..X..qo..p.....g..vh..j.....a".g. p...........q..u."u...tK.r.@.+.u..O.8B.0.D..H...!.M..M..C.&.Hw.Z....?.Q..W.0\.4.`..`.&.5.Q..U.2a.....n......h.......G..d. .[....NZ..q..0.......Q...O...9.........i........{oZ....m......;.<.:...?...&6....1....@.......7.........[.$..<.....$J^c.<..4..... ....^.....h...9...y.......L......-...r..!....@......F.hs....?....F...-..1.2.>.&..0..."...\..................... .....&...:.......%6.<...9..@....8.0.. ...2......9..t..........H*..........4.;...90.=.......+.......o.....6.......(.5...,...*..T...}.t......w.x.O.......#...#..!...&..:.......9..5.,....>.3.....2.7&...1^...U.p.(.............$....... .<..Yq...(...~.)@.........2
                                                                      C:\Users\user\AppData\Local\Temp\nsb55F1.tmp\jupf00qz2dn.dll
                                                                      Process:C:\Users\user\Desktop\1g1NLI6i33.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):5632
                                                                      Entropy (8bit):4.13790327751178
                                                                      Encrypted:false
                                                                      SSDEEP:96:BHvn1ASk3NDZ+t20RKgIFln6Rul4jdkpN3:BWuuokajdkpN3
                                                                      MD5:AD0988E9810DB71DBBF62EB34162BAEB
                                                                      SHA1:78465D48ECBDCB107B6DC1937D823DBE3E789318
                                                                      SHA-256:2A344BC8389C27E68EF7BBEAAB1B98E580A9F42A1AD1EA6B2492D9635B7B5105
                                                                      SHA-512:EFC528BFB1A08A953437DF4FDB2A9365F76DF784C473A19D2749145A2D22C86035D59E09F9986B4162118F0D541044ACB6DAB2DF5197003CDA18EB8A1B9392F7
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.}XX..XX..XX...0./]X....,.UX..XX..xX...1./YX...1./YX...1./YX..RichXX..........PE..L....?.`...........!......................... ...............................@......................................p!..P...."....................................... ............................... ..@............ ...............................text...1........................... ..`.rdata....... ......................@..@.data...T....0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\nsg55C1.tmp
                                                                      Process:C:\Users\user\Desktop\1g1NLI6i33.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):315042
                                                                      Entropy (8bit):7.97484316079725
                                                                      Encrypted:false
                                                                      SSDEEP:6144:c3E/JlF7uLlUemo12UiBuF/3K6MCgCeSMZR/B1Rhmjs1v+9:T97ulmq2125MHCM1Z1v+9
                                                                      MD5:8B9B248ED4ADB4BA5259317DC9C0AC28
                                                                      SHA1:9AC1E37E65A9A2BD4F32BF4F89618BEAD8F9F9FB
                                                                      SHA-256:41891B82C216709BAE67DBF48537B87829C0F91EFEB192E4F27BD3FADD51F078
                                                                      SHA-512:91B76DC90EDB37D4D94AD517E2924AE94D5E0E3CE0378868D35C5335A00564B4ABFDE32EB6A2F1AEE4A90D528B6CB885244C6FE0B7D84BF697B0EFC5F97D4A5C
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ........,...................................................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\nsgAE9F.tmp
                                                                      Process:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):315042
                                                                      Entropy (8bit):7.97484316079725
                                                                      Encrypted:false
                                                                      SSDEEP:6144:c3E/JlF7uLlUemo12UiBuF/3K6MCgCeSMZR/B1Rhmjs1v+9:T97ulmq2125MHCM1Z1v+9
                                                                      MD5:8B9B248ED4ADB4BA5259317DC9C0AC28
                                                                      SHA1:9AC1E37E65A9A2BD4F32BF4F89618BEAD8F9F9FB
                                                                      SHA-256:41891B82C216709BAE67DBF48537B87829C0F91EFEB192E4F27BD3FADD51F078
                                                                      SHA-512:91B76DC90EDB37D4D94AD517E2924AE94D5E0E3CE0378868D35C5335A00564B4ABFDE32EB6A2F1AEE4A90D528B6CB885244C6FE0B7D84BF697B0EFC5F97D4A5C
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ........,...................................................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\nsqAEDE.tmp\jupf00qz2dn.dll
                                                                      Process:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):5632
                                                                      Entropy (8bit):4.13790327751178
                                                                      Encrypted:false
                                                                      SSDEEP:96:BHvn1ASk3NDZ+t20RKgIFln6Rul4jdkpN3:BWuuokajdkpN3
                                                                      MD5:AD0988E9810DB71DBBF62EB34162BAEB
                                                                      SHA1:78465D48ECBDCB107B6DC1937D823DBE3E789318
                                                                      SHA-256:2A344BC8389C27E68EF7BBEAAB1B98E580A9F42A1AD1EA6B2492D9635B7B5105
                                                                      SHA-512:EFC528BFB1A08A953437DF4FDB2A9365F76DF784C473A19D2749145A2D22C86035D59E09F9986B4162118F0D541044ACB6DAB2DF5197003CDA18EB8A1B9392F7
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.}XX..XX..XX...0./]X....,.UX..XX..xX...1./YX...1./YX...1./YX..RichXX..........PE..L....?.`...........!......................... ...............................@......................................p!..P...."....................................... ............................... ..@............ ...............................text...1........................... ..`.rdata....... ......................@..@.data...T....0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\nsu90B8.tmp\jupf00qz2dn.dll
                                                                      Process:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):5632
                                                                      Entropy (8bit):4.13790327751178
                                                                      Encrypted:false
                                                                      SSDEEP:96:BHvn1ASk3NDZ+t20RKgIFln6Rul4jdkpN3:BWuuokajdkpN3
                                                                      MD5:AD0988E9810DB71DBBF62EB34162BAEB
                                                                      SHA1:78465D48ECBDCB107B6DC1937D823DBE3E789318
                                                                      SHA-256:2A344BC8389C27E68EF7BBEAAB1B98E580A9F42A1AD1EA6B2492D9635B7B5105
                                                                      SHA-512:EFC528BFB1A08A953437DF4FDB2A9365F76DF784C473A19D2749145A2D22C86035D59E09F9986B4162118F0D541044ACB6DAB2DF5197003CDA18EB8A1B9392F7
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.}XX..XX..XX...0./]X....,.UX..XX..xX...1./YX...1./YX...1./YX..RichXX..........PE..L....?.`...........!......................... ...............................@......................................p!..P...."....................................... ............................... ..@............ ...............................text...1........................... ..`.rdata....... ......................@..@.data...T....0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\nsz9088.tmp
                                                                      Process:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):315042
                                                                      Entropy (8bit):7.97484316079725
                                                                      Encrypted:false
                                                                      SSDEEP:6144:c3E/JlF7uLlUemo12UiBuF/3K6MCgCeSMZR/B1Rhmjs1v+9:T97ulmq2125MHCM1Z1v+9
                                                                      MD5:8B9B248ED4ADB4BA5259317DC9C0AC28
                                                                      SHA1:9AC1E37E65A9A2BD4F32BF4F89618BEAD8F9F9FB
                                                                      SHA-256:41891B82C216709BAE67DBF48537B87829C0F91EFEB192E4F27BD3FADD51F078
                                                                      SHA-512:91B76DC90EDB37D4D94AD517E2924AE94D5E0E3CE0378868D35C5335A00564B4ABFDE32EB6A2F1AEE4A90D528B6CB885244C6FE0B7D84BF697B0EFC5F97D4A5C
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: ........,...................................................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      Process:C:\Users\user\Desktop\1g1NLI6i33.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Category:dropped
                                                                      Size (bytes):348416
                                                                      Entropy (8bit):7.945327965170323
                                                                      Encrypted:false
                                                                      SSDEEP:6144:lPXZLwfTl4lCmjw3FYlbB231/KtItPfiFtDMFTDb+AqTfu8cxFdMACKtee7o:TLwl4dw36lyKtBgFMfoFdM7tGo
                                                                      MD5:D0A8C2403C51EA96D820DCD443F1AAAB
                                                                      SHA1:825A057B9218A956A632BDD563056BE37BFC0C10
                                                                      SHA-256:0C397EBC470F59440B6A317A88A2592C0B05057CEA1FF2F31B9FDDE549971AEE
                                                                      SHA-512:FB7A0307327811FE7338ECF30AB539A50E9717DB60FF6E05FB06710E536EC9CF5EC560E97EEC2FAB19D37CE81725AD514EC7C1537DB52330DE1F3BE192D5CF93
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 43%
                                                                      Reputation:low
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@.......................................@.................................8...........P............................................................................................................text...<b.......d.................. ..`.rdata..t............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...P...........................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Entropy (8bit):7.945327965170323
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:1g1NLI6i33.exe
                                                                      File size:348416
                                                                      MD5:d0a8c2403c51ea96d820dcd443f1aaab
                                                                      SHA1:825a057b9218a956a632bdd563056be37bfc0c10
                                                                      SHA256:0c397ebc470f59440b6a317a88a2592c0b05057cea1ff2f31b9fdde549971aee
                                                                      SHA512:fb7a0307327811fe7338ecf30ab539a50e9717db60ff6e05fb06710e536ec9cf5ec560e97eec2fab19d37ce81725ad514ec7c1537db52330de1f3be192d5cf93
                                                                      SSDEEP:6144:lPXZLwfTl4lCmjw3FYlbB231/KtItPfiFtDMFTDb+AqTfu8cxFdMACKtee7o:TLwl4dw36lyKtBgFMfoFdM7tGo
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@

                                                                      File Icon

                                                                      Icon Hash:b2a88c96b2ca6a72

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x403461
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                      Time Stamp:0x5F24D6E4 [Sat Aug 1 02:43:48 2020 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:ea4e67a31ace1a72683a99b80cf37830

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      sub esp, 00000184h
                                                                      push ebx
                                                                      push esi
                                                                      push edi
                                                                      xor ebx, ebx
                                                                      push 00008001h
                                                                      mov dword ptr [esp+18h], ebx
                                                                      mov dword ptr [esp+10h], 0040A130h
                                                                      mov dword ptr [esp+20h], ebx
                                                                      mov byte ptr [esp+14h], 00000020h
                                                                      call dword ptr [004080B0h]
                                                                      call dword ptr [004080C0h]
                                                                      and eax, BFFFFFFFh
                                                                      cmp ax, 00000006h
                                                                      mov dword ptr [0042474Ch], eax
                                                                      je 00007F617C7F4073h
                                                                      push ebx
                                                                      call 00007F617C7F71EEh
                                                                      cmp eax, ebx
                                                                      je 00007F617C7F4069h
                                                                      push 00000C00h
                                                                      call eax
                                                                      mov esi, 004082A0h
                                                                      push esi
                                                                      call 00007F617C7F716Ah
                                                                      push esi
                                                                      call dword ptr [004080B8h]
                                                                      lea esi, dword ptr [esi+eax+01h]
                                                                      cmp byte ptr [esi], bl
                                                                      jne 00007F617C7F404Dh
                                                                      push 0000000Bh
                                                                      call 00007F617C7F71C2h
                                                                      push 00000009h
                                                                      call 00007F617C7F71BBh
                                                                      push 00000007h
                                                                      mov dword ptr [00424744h], eax
                                                                      call 00007F617C7F71AFh
                                                                      cmp eax, ebx
                                                                      je 00007F617C7F4071h
                                                                      push 0000001Eh
                                                                      call eax
                                                                      test eax, eax
                                                                      je 00007F617C7F4069h
                                                                      or byte ptr [0042474Fh], 00000040h
                                                                      push ebp
                                                                      call dword ptr [00408038h]
                                                                      push ebx
                                                                      call dword ptr [00408288h]
                                                                      mov dword ptr [00424818h], eax
                                                                      push ebx
                                                                      lea eax, dword ptr [esp+38h]
                                                                      push 00000160h
                                                                      push eax
                                                                      push ebx
                                                                      push 0041FD10h
                                                                      call dword ptr [0040816Ch]
                                                                      push 0040A1ECh

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000xa50.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x623c0x6400False0.65859375data6.40257705324IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x80000x12740x1400False0.43359375data5.05749598324IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0xa0000x1a8580x600False0.445963541667data4.08975001509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x2d0000xa500xc00False0.402994791667data4.1909607241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_ICON0x2d1900x2e8dataEnglishUnited States
                                                                      RT_DIALOG0x2d4780x100dataEnglishUnited States
                                                                      RT_DIALOG0x2d5780x11cdataEnglishUnited States
                                                                      RT_DIALOG0x2d6980x60dataEnglishUnited States
                                                                      RT_GROUP_ICON0x2d6f80x14dataEnglishUnited States
                                                                      RT_MANIFEST0x2d7100x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                      Imports

                                                                      DLLImport
                                                                      ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                      SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                      ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                      USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 4, 2021 19:57:23.943017960 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:24.118796110 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:24.119035959 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:24.739242077 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:24.739717007 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:24.914073944 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:24.914148092 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:24.914699078 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:25.088911057 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:25.143258095 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:25.169491053 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:25.346112013 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:25.346134901 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:25.346153021 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:25.346162081 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:25.346230030 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:25.346318007 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:25.393362999 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:25.520571947 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:25.526801109 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:25.705512047 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:25.752677917 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:25.999219894 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:26.173569918 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:26.175147057 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:26.350255013 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:26.351130962 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:26.529448986 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:26.530400038 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:26.706738949 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:26.707170010 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:26.909497976 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:26.909991026 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:27.084534883 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:27.086586952 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:27.086760044 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:27.087507010 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:27.087605953 CEST49768587192.168.2.4208.91.199.224
                                                                      May 4, 2021 19:57:27.260847092 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:27.261662960 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:27.359024048 CEST58749768208.91.199.224192.168.2.4
                                                                      May 4, 2021 19:57:27.409185886 CEST49768587192.168.2.4208.91.199.224

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      May 4, 2021 19:55:26.913604021 CEST6464653192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:26.943228960 CEST6529853192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:26.963429928 CEST53646468.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:27.013655901 CEST53652988.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:27.491365910 CEST5912353192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:27.552699089 CEST53591238.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:28.241489887 CEST5453153192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:28.293410063 CEST53545318.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:29.130726099 CEST4971453192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:29.179327011 CEST53497148.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:29.951500893 CEST5802853192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:30.000222921 CEST53580288.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:30.735666990 CEST5309753192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:30.741790056 CEST4925753192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:30.784621000 CEST53530978.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:30.807570934 CEST53492578.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:31.783792973 CEST6238953192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:31.835938931 CEST53623898.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:32.767976046 CEST4991053192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:32.829715014 CEST53499108.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:33.928160906 CEST5585453192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:33.979639053 CEST53558548.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:34.994802952 CEST6454953192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:35.043512106 CEST53645498.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:36.276734114 CEST6315353192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:36.326893091 CEST53631538.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:37.480227947 CEST5299153192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:37.531861067 CEST53529918.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:38.654270887 CEST5370053192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:38.704623938 CEST53537008.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:40.048588991 CEST5172653192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:40.101906061 CEST53517268.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:41.202709913 CEST5679453192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:41.254343033 CEST53567948.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:42.251008987 CEST5653453192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:42.299649954 CEST53565348.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:43.192339897 CEST5662753192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:43.257647038 CEST53566278.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:44.145685911 CEST5662153192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:44.194401979 CEST53566218.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:45.558096886 CEST6311653192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:45.606745958 CEST53631168.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:46.928947926 CEST6407853192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:46.977621078 CEST53640788.8.8.8192.168.2.4
                                                                      May 4, 2021 19:55:48.076014996 CEST6480153192.168.2.48.8.8.8
                                                                      May 4, 2021 19:55:48.133192062 CEST53648018.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:01.690052032 CEST6172153192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:01.738876104 CEST53617218.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:05.289829969 CEST5125553192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:05.354681969 CEST53512558.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:22.198290110 CEST6152253192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:22.233735085 CEST5233753192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:22.341166019 CEST53523378.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:22.390881062 CEST53615228.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:22.933301926 CEST5504653192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:22.992398977 CEST53550468.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:23.656773090 CEST4961253192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:23.714102983 CEST53496128.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:23.835767031 CEST4928553192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:23.911418915 CEST53492858.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:24.262164116 CEST5060153192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:24.324031115 CEST53506018.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:25.081983089 CEST6087553192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:25.252849102 CEST53608758.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:27.394263029 CEST5644853192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:27.452574968 CEST53564488.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:27.947618008 CEST5917253192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:28.005918980 CEST53591728.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:29.586570024 CEST6242053192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:29.643693924 CEST53624208.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:31.440572023 CEST6057953192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:31.499273062 CEST53605798.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:31.976922035 CEST5018353192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:32.037569046 CEST53501838.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:36.665498972 CEST6153153192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:36.714122057 CEST53615318.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:36.896244049 CEST4922853192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:36.961635113 CEST53492288.8.8.8192.168.2.4
                                                                      May 4, 2021 19:56:39.427544117 CEST5979453192.168.2.48.8.8.8
                                                                      May 4, 2021 19:56:39.478876114 CEST53597948.8.8.8192.168.2.4
                                                                      May 4, 2021 19:57:11.753685951 CEST5591653192.168.2.48.8.8.8
                                                                      May 4, 2021 19:57:11.802438974 CEST53559168.8.8.8192.168.2.4
                                                                      May 4, 2021 19:57:13.887898922 CEST5275253192.168.2.48.8.8.8
                                                                      May 4, 2021 19:57:13.962274075 CEST53527528.8.8.8192.168.2.4
                                                                      May 4, 2021 19:57:23.750916004 CEST6054253192.168.2.48.8.8.8
                                                                      May 4, 2021 19:57:23.814285994 CEST53605428.8.8.8192.168.2.4
                                                                      May 4, 2021 19:57:40.648552895 CEST6068953192.168.2.48.8.8.8
                                                                      May 4, 2021 19:57:40.711267948 CEST53606898.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      May 4, 2021 19:57:23.750916004 CEST192.168.2.48.8.8.80x8564Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                      May 4, 2021 19:57:40.648552895 CEST192.168.2.48.8.8.80x820cStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      May 4, 2021 19:57:23.814285994 CEST8.8.8.8192.168.2.40x8564No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                      May 4, 2021 19:57:23.814285994 CEST8.8.8.8192.168.2.40x8564No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                      May 4, 2021 19:57:23.814285994 CEST8.8.8.8192.168.2.40x8564No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                      May 4, 2021 19:57:23.814285994 CEST8.8.8.8192.168.2.40x8564No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                      May 4, 2021 19:57:40.711267948 CEST8.8.8.8192.168.2.40x820cNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                      May 4, 2021 19:57:40.711267948 CEST8.8.8.8192.168.2.40x820cNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                      May 4, 2021 19:57:40.711267948 CEST8.8.8.8192.168.2.40x820cNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                      May 4, 2021 19:57:40.711267948 CEST8.8.8.8192.168.2.40x820cNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)

                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      May 4, 2021 19:57:24.739242077 CEST58749768208.91.199.224192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                      May 4, 2021 19:57:24.739717007 CEST49768587192.168.2.4208.91.199.224EHLO 226533
                                                                      May 4, 2021 19:57:24.914148092 CEST58749768208.91.199.224192.168.2.4250-us2.outbound.mailhostbox.com
                                                                      250-PIPELINING
                                                                      250-SIZE 41648128
                                                                      250-VRFY
                                                                      250-ETRN
                                                                      250-STARTTLS
                                                                      250-AUTH PLAIN LOGIN
                                                                      250-AUTH=PLAIN LOGIN
                                                                      250-ENHANCEDSTATUSCODES
                                                                      250-8BITMIME
                                                                      250 DSN
                                                                      May 4, 2021 19:57:24.914699078 CEST49768587192.168.2.4208.91.199.224STARTTLS
                                                                      May 4, 2021 19:57:25.088911057 CEST58749768208.91.199.224192.168.2.4220 2.0.0 Ready to start TLS

                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: 1g1NLI6i33.exe PID: 7020 Parent PID: 5896

                                                                      General

                                                                      Start time:19:55:34
                                                                      Start date:04/05/2021
                                                                      Path:C:\Users\user\Desktop\1g1NLI6i33.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\1g1NLI6i33.exe'
                                                                      Imagebase:0x400000
                                                                      File size:348416 bytes
                                                                      MD5 hash:D0A8C2403C51EA96D820DCD443F1AAAB
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.654628131.00000000023D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: 1g1NLI6i33.exe PID: 7060 Parent PID: 7020

                                                                      General

                                                                      Start time:19:55:35
                                                                      Start date:04/05/2021
                                                                      Path:C:\Users\user\Desktop\1g1NLI6i33.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\1g1NLI6i33.exe'
                                                                      Imagebase:0x400000
                                                                      File size:348416 bytes
                                                                      MD5 hash:D0A8C2403C51EA96D820DCD443F1AAAB
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.917550398.0000000004992000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.915437676.0000000003551000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.912048818.00000000004E9000.00000004.00000020.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.914107097.00000000024F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.911491892.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.914206758.0000000002551000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: vsbqyetogexvl.exe PID: 6712 Parent PID: 3424

                                                                      General

                                                                      Start time:19:55:48
                                                                      Start date:04/05/2021
                                                                      Path:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                                                                      Imagebase:0x400000
                                                                      File size:348416 bytes
                                                                      MD5 hash:D0A8C2403C51EA96D820DCD443F1AAAB
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.692221014.0000000003060000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 43%, ReversingLabs
                                                                      Reputation:low

                                                                      Analysis Process: vsbqyetogexvl.exe PID: 900 Parent PID: 6712

                                                                      General

                                                                      Start time:19:55:51
                                                                      Start date:04/05/2021
                                                                      Path:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                                                                      Imagebase:0x400000
                                                                      File size:348416 bytes
                                                                      MD5 hash:D0A8C2403C51EA96D820DCD443F1AAAB
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.703927470.00000000006CA000.00000004.00000020.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.704176469.0000000002531000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.704217438.0000000003531000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.704708468.0000000004970000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000001.686936007.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.703482798.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.704751452.00000000049B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: vsbqyetogexvl.exe PID: 6956 Parent PID: 3424

                                                                      General

                                                                      Start time:19:55:56
                                                                      Start date:04/05/2021
                                                                      Path:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                                                                      Imagebase:0x400000
                                                                      File size:348416 bytes
                                                                      MD5 hash:D0A8C2403C51EA96D820DCD443F1AAAB
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.703400223.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: vsbqyetogexvl.exe PID: 6584 Parent PID: 6956

                                                                      General

                                                                      Start time:19:55:58
                                                                      Start date:04/05/2021
                                                                      Path:C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Roaming\wsvjsxxwtyqtn\vsbqyetogexvl.exe'
                                                                      Imagebase:0x400000
                                                                      File size:348416 bytes
                                                                      MD5 hash:D0A8C2403C51EA96D820DCD443F1AAAB
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.915225171.00000000034E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000001.699094253.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.913898804.00000000024E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.916955385.0000000004962000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.912144653.00000000005D9000.00000004.00000020.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.916873369.0000000004920000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.911383328.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >