Loading ...

Play interactive tourEdit tour

Analysis Report lT2TTQACRLGKK8w.exe

Overview

General Information

Sample Name:lT2TTQACRLGKK8w.exe
Analysis ID:404238
MD5:8c2987ef25996649be1a2d6f2150a30d
SHA1:2b8425dbc57e93fbb2a9bf6d45a491ccc15f0d5d
SHA256:b1f7ca6e53ff7dd757a49539f5e5c18bfeabbe24b06270ce08df45f1c2efffff
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • lT2TTQACRLGKK8w.exe (PID: 6980 cmdline: 'C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe' MD5: 8C2987EF25996649BE1A2D6F2150A30D)
    • lT2TTQACRLGKK8w.exe (PID: 7092 cmdline: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe MD5: 8C2987EF25996649BE1A2D6F2150A30D)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "office3@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.911137710.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.912431014.0000000002A21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.656573147.0000000004129000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: lT2TTQACRLGKK8w.exe PID: 7092JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.lT2TTQACRLGKK8w.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.lT2TTQACRLGKK8w.exe.4234ac8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.lT2TTQACRLGKK8w.exe.4234ac8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 2.2.lT2TTQACRLGKK8w.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "office3@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: lT2TTQACRLGKK8w.exeReversingLabs: Detection: 19%
                  Machine Learning detection for sampleShow sources
                  Source: lT2TTQACRLGKK8w.exeJoe Sandbox ML: detected
                  Source: 2.2.lT2TTQACRLGKK8w.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: global trafficTCP traffic: 192.168.2.4:49770 -> 66.70.204.222:587
                  Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: global trafficTCP traffic: 192.168.2.4:49770 -> 66.70.204.222:587
                  Source: unknownDNS traffic detected: queries for: mail.iykmoreentrprise.org
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912431014.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912431014.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912431014.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: http://NdOlex.com
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000003.869228156.0000000000FA7000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000003.869228156.0000000000FA7000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000003.869228156.0000000000FA7000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000003.869228156.0000000000FA7000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912109224.0000000000F03000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.cz
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912804837.0000000002D88000.00000004.00000001.sdmpString found in binary or memory: http://iykmoreentrprise.org
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912804837.0000000002D88000.00000004.00000001.sdmpString found in binary or memory: http://mail.iykmoreentrprise.org
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000003.869228156.0000000000FA7000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000003.869228156.0000000000FA7000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655099093.0000000003121000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: lT2TTQACRLGKK8w.exeString found in binary or memory: http://vbcity.com/forums/t/51894.aspx
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912431014.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912431014.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: lT2TTQACRLGKK8w.exeString found in binary or memory: https://github.com/MrCylops
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912725062.0000000002D32000.00000004.00000001.sdmp, lT2TTQACRLGKK8w.exe, 00000002.00000002.912880410.0000000002DB5000.00000004.00000001.sdmp, lT2TTQACRLGKK8w.exe, 00000002.00000002.912771188.0000000002D7E000.00000004.00000001.sdmp, lT2TTQACRLGKK8w.exe, 00000002.00000002.912865775.0000000002DAD000.00000004.00000001.sdmpString found in binary or memory: https://wl0H8jlTH4n9kj.org
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.656573147.0000000004129000.00000004.00000001.sdmp, lT2TTQACRLGKK8w.exe, 00000002.00000002.911137710.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912431014.0000000002A21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 2.2.lT2TTQACRLGKK8w.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b56ED34DBu002dB13Du002d4E78u002dAB1Eu002dFFE9EC311CA5u007d/C4710566u002dA0DFu002d4617u002dB65Cu002d8842CDFCB5A1.csLarge array initialization: .cctor: array initializer size 11967
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_00CBA1D3
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0162C2B0
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_01629990
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B978BF8
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B977960
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B9762E8
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B9709A8
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B971918
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B971928
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B970944
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B970FEC
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B975F18
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B975F28
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B971E51
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B971E60
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B973399
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B9733A8
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B9762D8
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B972180
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B972171
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B976589
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B976523
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B974410
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B974400
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B97242B
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_00CBA42F
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_006FA1D3
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00C88060
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00C81B50
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00C84310
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00C866E8
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00C89D58
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00C8E720
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00EC46A0
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00EC4690
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00EC4672
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_006FA42F
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000000.645706234.0000000000D5C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnauthorizedAccessException.exe> vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655099093.0000000003121000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655099093.0000000003121000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBEpnzqbDkEzvjXIwxhKwj.exe4 vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.659378273.00000000063B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.911137710.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBEpnzqbDkEzvjXIwxhKwj.exe4 vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.911283055.000000000079C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnauthorizedAccessException.exe> vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.911346617.0000000000B38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912036273.0000000000ED8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.915794812.0000000006330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exeBinary or memory string: OriginalFilenameUnauthorizedAccessException.exe> vs lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 2.2.lT2TTQACRLGKK8w.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.lT2TTQACRLGKK8w.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lT2TTQACRLGKK8w.exe.logJump to behavior
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                  Source: lT2TTQACRLGKK8w.exeReversingLabs: Detection: 19%
                  Source: unknownProcess created: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe 'C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe'
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess created: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess created: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: lT2TTQACRLGKK8w.exeStatic PE information: 0x9913AE82 [Sat May 20 13:58:26 2051 UTC]
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 0_2_0B975859 push 1A34BA5Ch; ret
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_3_00F656CB push ds; retf
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_3_00F66DB1 push edi; retf
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_3_00F649BB pushad ; retf
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_3_00F690BB push ss; ret
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_3_00F68FAB push es; iretd
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.4929930225
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lT2TTQACRLGKK8w.exe PID: 6980, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeWindow / User API: threadDelayed 1865
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeWindow / User API: threadDelayed 7968
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe TID: 6984Thread sleep time: -101227s >= -30000s
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe TID: 7000Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe TID: 3120Thread sleep time: -19369081277395017s >= -30000s
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe TID: 4984Thread sleep count: 1865 > 30
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe TID: 4984Thread sleep count: 7968 > 30
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeThread delayed: delay time: 101227
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeThread delayed: delay time: 922337203685477
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000003.869177633.0000000000F5B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllce\H
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: lT2TTQACRLGKK8w.exeBinary or memory string: Hyper-V RAW
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: lT2TTQACRLGKK8w.exe, 00000000.00000002.655179728.0000000003174000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeCode function: 2_2_00C88060 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  .NET source code references suspicious native API functionsShow sources
                  Source: lT2TTQACRLGKK8w.exe, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                  Source: lT2TTQACRLGKK8w.exe, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: 0.2.lT2TTQACRLGKK8w.exe.cb0000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                  Source: 0.2.lT2TTQACRLGKK8w.exe.cb0000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: 0.0.lT2TTQACRLGKK8w.exe.cb0000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                  Source: 0.0.lT2TTQACRLGKK8w.exe.cb0000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: 2.2.lT2TTQACRLGKK8w.exe.400000.0.unpack, A/b2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                  Source: 2.0.lT2TTQACRLGKK8w.exe.6f0000.0.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                  Source: 2.0.lT2TTQACRLGKK8w.exe.6f0000.0.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: 2.2.lT2TTQACRLGKK8w.exe.6f0000.1.unpack, ProcessClass.csReference to suspicious API methods: ('OpenProcess', 'OpenProcess@kernel32.dll')
                  Source: 2.2.lT2TTQACRLGKK8w.exe.6f0000.1.unpack, Memory.csReference to suspicious API methods: ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('ReadProcessMemory', 'ReadProcessMemory@kernel32.dll')
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeMemory written: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeProcess created: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912309734.0000000001490000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912309734.0000000001490000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912309734.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: lT2TTQACRLGKK8w.exe, 00000002.00000002.912309734.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exe VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.911137710.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.656573147.0000000004129000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lT2TTQACRLGKK8w.exe PID: 7092, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lT2TTQACRLGKK8w.exe PID: 6980, type: MEMORY
                  Source: Yara matchFile source: 2.2.lT2TTQACRLGKK8w.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lT2TTQACRLGKK8w.exe.4234ac8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lT2TTQACRLGKK8w.exe.4234ac8.3.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\Desktop\lT2TTQACRLGKK8w.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 00000002.00000002.912431014.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lT2TTQACRLGKK8w.exe PID: 7092, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.911137710.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.656573147.0000000004129000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lT2TTQACRLGKK8w.exe PID: 7092, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lT2TTQACRLGKK8w.exe PID: 6980, type: MEMORY
                  Source: Yara matchFile source: 2.2.lT2TTQACRLGKK8w.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lT2TTQACRLGKK8w.exe.4234ac8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lT2TTQACRLGKK8w.exe.4234ac8.3.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi