Loading ...

Play interactive tourEdit tour

Analysis Report i6xFULh8J5.exe

Overview

General Information

Sample Name:i6xFULh8J5.exe
Analysis ID:432660
MD5:6c425cf25da766d3d98597a9be4e7300
SHA1:874344555856dca223730f32ac81b8a743db4cfd
SHA256:0b72882fbad7f826525003747565e03257ad2e9f60b70d53fe11686dfff1705c
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • i6xFULh8J5.exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\i6xFULh8J5.exe' MD5: 6C425CF25DA766D3D98597A9BE4E7300)
    • i6xFULh8J5.exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\i6xFULh8J5.exe' MD5: 6C425CF25DA766D3D98597A9BE4E7300)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "no-reply@mytravelws.com", "Password": "hbhf@--8hyhb#E6g", "Host": "mail.mytravelws.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.i6xFULh8J5.exe.400000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.i6xFULh8J5.exe.400000.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.i6xFULh8J5.exe.2310000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.i6xFULh8J5.exe.2310000.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.i6xFULh8J5.exe.415058.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 31 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.1.i6xFULh8J5.exe.415058.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "no-reply@mytravelws.com", "Password": "hbhf@--8hyhb#E6g", "Host": "mail.mytravelws.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: i6xFULh8J5.exeVirustotal: Detection: 13%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: i6xFULh8J5.exeJoe Sandbox ML: detected
                      Source: 1.2.i6xFULh8J5.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.2.i6xFULh8J5.exe.4860000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 1.1.i6xFULh8J5.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.4860000.6.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.400000.1.unpack
                      Source: i6xFULh8J5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040263E FindFirstFileA,
                      Source: global trafficTCP traffic: 192.168.2.4:49759 -> 185.145.97.154:587
                      Source: Joe Sandbox ViewIP Address: 185.145.97.154 185.145.97.154
                      Source: Joe Sandbox ViewASN Name: HOSTWINDSUS HOSTWINDSUS
                      Source: global trafficTCP traffic: 192.168.2.4:49759 -> 185.145.97.154:587
                      Source: unknownDNS traffic detected: queries for: mail.mytravelws.com
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://DZUhkq.com
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: i6xFULh8J5.exe, 00000001.00000003.891159515.00000000059C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: i6xFULh8J5.exe, 00000001.00000002.918823038.00000000059DD000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationScZ
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: i6xFULh8J5.exe, 00000001.00000002.915552191.00000000026D7000.00000004.00000001.sdmpString found in binary or memory: http://mail.mytravelws.com
                      Source: i6xFULh8J5.exe, 00000001.00000002.915552191.00000000026D7000.00000004.00000001.sdmpString found in binary or memory: http://mytravelws.com
                      Source: i6xFULh8J5.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: i6xFULh8J5.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: i6xFULh8J5.exe, 00000001.00000002.915499236.0000000002696000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000003.871081377.0000000004FC1000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915635781.0000000002704000.00000004.00000001.sdmpString found in binary or memory: https://Aloa82nGvgBCiZ.org
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: i6xFULh8J5.exe, 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00404853
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00406131
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_6FC71A98
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05969919
                      Source: i6xFULh8J5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: i6xFULh8J5.exe, 00000000.00000003.654308462.0000000009D0F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJXRsApCFgOIPRvMvtWyWbNCN.exe4 vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.913725980.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.914372440.0000000000840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJXRsApCFgOIPRvMvtWyWbNCN.exe4 vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.919010044.0000000005F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs i6xFULh8J5.exe
                      Source: i6xFULh8J5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@4/1
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile created: C:\Users\user\AppData\Roaming\xnpbd3fr.5juJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile created: C:\Users\user\AppData\Local\Temp\nsb5CBB.tmpJump to behavior
                      Source: i6xFULh8J5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: i6xFULh8J5.exeVirustotal: Detection: 13%
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile read: C:\Users\user\Desktop\i6xFULh8J5.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Binary string: wntdll.pdbUGP source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: i6xFULh8J5.exe, 00000000.00000003.651186316.0000000009A60000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.4860000.6.unpack
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeUnpacked PE file: 1.2.i6xFULh8J5.exe.400000.1.unpack
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_6FC72F60 push eax; ret
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05979E84 push ecx; iretd
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05979E84 push ecx; iretd
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597E21F push edx; retf
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597C107 pushad ; retf
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597E20D push edx; retf
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597E250 push eax; retf
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597E25A push edx; retf
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_0597CD64 pushad ; ret
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05979E84 push ecx; iretd
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05979E84 push ecx; iretd
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 1_3_05965B3B push FFFFFFDBh; iretd
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile created: C:\Users\user\AppData\Local\Temp\nsm5CFC.tmp\System.dllJump to dropped file
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWindow / User API: threadDelayed 626
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWindow / User API: threadDelayed 9227
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5872Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5868Thread sleep count: 626 > 30
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exe TID: 5868Thread sleep count: 9227 > 30
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_0040263E FindFirstFileA,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeThread delayed: delay time: 922337203685477
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: i6xFULh8J5.exe, 00000001.00000002.917679426.00000000050C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeSection loaded: unknown target: C:\Users\user\Desktop\i6xFULh8J5.exe protection: execute and read and write
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeProcess created: C:\Users\user\Desktop\i6xFULh8J5.exe 'C:\Users\user\Desktop\i6xFULh8J5.exe'
                      Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: i6xFULh8J5.exe, 00000001.00000002.914864068.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeCode function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.915996454.0000000003381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000001.654864588.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.914093005.0000000000549000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.4860000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.915996454.0000000003381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000001.654864588.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.914093005.0000000000549000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: i6xFULh8J5.exe PID: 6956, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: i6xFULh8J5.exe PID: 6920, type: MEMORY
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.4860000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\i6xFULh8J5.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: i6xFULh8J5.exe PID: 6956, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.915996454.0000000003381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000001.654864588.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.914093005.0000000000549000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.4860000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.915996454.0000000003381000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000001.654864588.0000000000414000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.914093005.0000000000549000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: i6xFULh8J5.exe PID: 6956, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: i6xFULh8J5.exe PID: 6920, type: MEMORY
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.4860000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.2310000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.3385530.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.415058.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22d1458.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.i6xFULh8J5.exe.563db8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.i6xFULh8J5.exe.22c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.1.i6xFULh8J5.exe.415058.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1Credentials in Registry1System Information Discovery116Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing31Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery121Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion141LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection112Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      i6xFULh8J5.exe13%VirustotalBrowse
                      i6xFULh8J5.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\nsm5CFC.tmp\System.dll0%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Temp\nsm5CFC.tmp\System.dll0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.2.i6xFULh8J5.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                      1.2.i6xFULh8J5.exe.4860000.6.unpack100%AviraTR/Spy.Gen8Download File
                      0.2.i6xFULh8J5.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
                      1.0.i6xFULh8J5.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
                      0.0.i6xFULh8J5.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
                      1.1.i6xFULh8J5.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.mytravelws.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationScZ0%Avira URL Cloudsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://DZUhkq.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://Aloa82nGvgBCiZ.org0%Avira URL Cloudsafe
                      http://mytravelws.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://mail.mytravelws.com0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mytravelws.com
                      185.145.97.154
                      truetrue
                        unknown
                        mail.mytravelws.com
                        unknown
                        unknowntrueunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://127.0.0.1:HTTP/1.1i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://DynDns.comDynDNSi6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://sectigo.com/CPS0i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://crt.sectigo.com/SectigoRSADomainValidationScZi6xFULh8J5.exe, 00000001.00000002.918823038.00000000059DD000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://nsis.sf.net/NSIS_Errori6xFULh8J5.exefalse
                          high
                          http://ocsp.sectigo.com0i6xFULh8J5.exe, 00000001.00000002.915569353.00000000026DD000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hai6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://DZUhkq.comi6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://api.ipify.org%GETMozilla/5.0i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          low
                          https://Aloa82nGvgBCiZ.orgi6xFULh8J5.exe, 00000001.00000002.915499236.0000000002696000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000003.871081377.0000000004FC1000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915635781.0000000002704000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://mytravelws.comi6xFULh8J5.exe, 00000001.00000002.915552191.00000000026D7000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://nsis.sf.net/NSIS_ErrorErrori6xFULh8J5.exefalse
                            high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipi6xFULh8J5.exe, 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, i6xFULh8J5.exe, 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://mail.mytravelws.comi6xFULh8J5.exe, 00000001.00000002.915552191.00000000026D7000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://api.ipify.org%$i6xFULh8J5.exe, 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            low

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            185.145.97.154
                            mytravelws.comNetherlands
                            54290HOSTWINDSUStrue

                            General Information

                            Joe Sandbox Version:32.0.0 Black Diamond
                            Analysis ID:432660
                            Start date:10.06.2021
                            Start time:16:30:27
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 8m 26s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:i6xFULh8J5.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:16
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/5@4/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 64.6% (good quality ratio 63.4%)
                            • Quality average: 88.5%
                            • Quality standard deviation: 21.9%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 52.147.198.201, 92.122.145.220, 13.64.90.137, 168.61.161.212, 20.82.210.154, 20.72.88.19, 2.20.142.209, 2.20.142.210, 20.54.26.129, 20.75.105.140, 92.122.213.247, 92.122.213.194
                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            16:31:28API Interceptor742x Sleep call for process: i6xFULh8J5.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            185.145.97.154PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                              bnpQ6kcuVR.exeGet hashmaliciousBrowse
                                vbc (2).exeGet hashmaliciousBrowse
                                  ST7Ado3UF0.exeGet hashmaliciousBrowse
                                    P6Jz2vkfxM.exeGet hashmaliciousBrowse
                                      report payment.xlsxGet hashmaliciousBrowse
                                        sUBjOPCItO.exeGet hashmaliciousBrowse
                                          PO-May-2021.xlsxGet hashmaliciousBrowse
                                            0WkusO1rOi.exeGet hashmaliciousBrowse
                                              H2aIwW0WIT.exeGet hashmaliciousBrowse
                                                YOWLnt9Yre.exeGet hashmaliciousBrowse
                                                  38 X 38 X 2.5 MM.xlsxGet hashmaliciousBrowse
                                                    Jj8w5yRkRd.exeGet hashmaliciousBrowse
                                                      9c1ed25a_by_Libranalysis.exeGet hashmaliciousBrowse
                                                        bNU0rOHXQb.exeGet hashmaliciousBrowse
                                                          0b8e201e_by_Libranalysis.exeGet hashmaliciousBrowse
                                                            AWSC-##YU.xlsxGet hashmaliciousBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              HOSTWINDSUSPAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                              • 185.145.97.154
                                                              PO.exeGet hashmaliciousBrowse
                                                              • 104.168.175.179
                                                              ___(__)10115_____210609.exeGet hashmaliciousBrowse
                                                              • 192.119.111.43
                                                              #Ubc1c#Uc8fc#Ubd84(#Uc2e0#Uaddc)_10115_#Uc9c0#Uc544#Uc774#Ud14c#Ud06c_210608.exeGet hashmaliciousBrowse
                                                              • 192.119.111.43
                                                              #Ubc1c#Uc8fc#Ubd84(#Uc2e0#Uaddc)_10115_#Uc9c0#Uc544#Uc774#Ud14c#Ud06c_210607.exeGet hashmaliciousBrowse
                                                              • 192.119.111.43
                                                              Quote20210607.exeGet hashmaliciousBrowse
                                                              • 192.119.111.43
                                                              bnpQ6kcuVR.exeGet hashmaliciousBrowse
                                                              • 185.145.97.154
                                                              vbc (2).exeGet hashmaliciousBrowse
                                                              • 185.145.97.154
                                                              20200237 Item List -#U00bb#U00e7#U00be#U00e7 #U00c0#U00fb#U00bf#U00eb.xlsx.exeGet hashmaliciousBrowse
                                                              • 192.119.111.43
                                                              _.htmlGet hashmaliciousBrowse
                                                              • 192.236.192.242
                                                              ST7Ado3UF0.exeGet hashmaliciousBrowse
                                                              • 185.145.97.154
                                                              P6Jz2vkfxM.exeGet hashmaliciousBrowse
                                                              • 185.145.97.154
                                                              report payment.xlsxGet hashmaliciousBrowse
                                                              • 185.145.97.154
                                                              20210531 Item List (114578PZ) - #U00bb#U00e7#U00be#U00e7 #U00c0#U00fb#U00bf#U00eb.exeGet hashmaliciousBrowse
                                                              • 104.168.166.188
                                                              PO-20210601.exeGet hashmaliciousBrowse
                                                              • 104.168.166.188
                                                              Quote-20210601.exeGet hashmaliciousBrowse
                                                              • 104.168.166.188
                                                              20200237 Item List (84EA) - #Uc0ac#Uc591 #Uc801#Uc6a9.exeGet hashmaliciousBrowse
                                                              • 104.168.166.188
                                                              Quote-210601.exeGet hashmaliciousBrowse
                                                              • 104.168.166.188
                                                              QUOTATION-FORM.exeGet hashmaliciousBrowse
                                                              • 104.168.166.188
                                                              sUBjOPCItO.exeGet hashmaliciousBrowse
                                                              • 185.145.97.154

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              C:\Users\user\AppData\Local\Temp\nsm5CFC.tmp\System.dllAWB00028487364 -000487449287.docGet hashmaliciousBrowse
                                                                090049000009000.exeGet hashmaliciousBrowse
                                                                  dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                    PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                      Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                        Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                          UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                                            Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                              3arZKnr21W.exeGet hashmaliciousBrowse
                                                                                Shipping receipt.exeGet hashmaliciousBrowse
                                                                                  New Order TL273723734533.pdf.exeGet hashmaliciousBrowse
                                                                                    YZ8OvkljWm.exeGet hashmaliciousBrowse
                                                                                      U03c2doc.exeGet hashmaliciousBrowse
                                                                                        QUOTE061021.exeGet hashmaliciousBrowse
                                                                                          PAYMENT CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                            PO187439.exeGet hashmaliciousBrowse
                                                                                              090009000000090.exeGet hashmaliciousBrowse
                                                                                                NEWORDERLIST.exeGet hashmaliciousBrowse
                                                                                                  00404000004.exeGet hashmaliciousBrowse
                                                                                                    40900900090000.exeGet hashmaliciousBrowse

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Temp\cngupzj2oe
                                                                                                      Process:C:\Users\user\Desktop\i6xFULh8J5.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):292864
                                                                                                      Entropy (8bit):7.999431096026405
                                                                                                      Encrypted:true
                                                                                                      SSDEEP:6144:Fl0wrd3yw6dDxCbwJQ2BYabuiDeD7rSphe5Tx/J81Y454:/rNyzCbwGebpheTx/Ju4
                                                                                                      MD5:50C707C4A6C86D7DEEA6AB366421D287
                                                                                                      SHA1:D8C267A75759ACFA4C41440FA114F1537C1C6DEB
                                                                                                      SHA-256:D318B7EA53EA3BAEA3077BDF6A509F5795F50347BCED88553B49224322115CBF
                                                                                                      SHA-512:B0E7AD4DB0358D8598E97EC9D3766115520CEA7586B1E1145DDB08D94DE4C39CE541CB5E11BDD45054B222778708A30A98B4044809110D76825F52DE8B20DDB6
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview: ....#.Z...Z..r..n...V.....'.]....(.....c[..&C.[.zP_..~..z.^.8.....1|.Y...../....4...Z.f.hX.<...P......\..z._c6....._.g..Q...wm....`.Q...\...@...~...d...#..-..mY....M:.....C5<E....S..}.?K@YG+..1.....1.>@5.$...Fs............2.P......v...J.P.{.R..E>a..e....(=I.@R|......^.K.1../..n..2..yh..\../.eq.l...74~..K..o..CM.<.Z..AP...#.......ye./p..F....>"*...a.aT.8..5X......-t..*...Mi.b...x....j.`|?......"(.....cA..k.A}..T..E.u (...5..'.M...D.3.c.w.L.&.t..P.wb[V...S._....8.....#f."...o'.~....d.....^Q.L.4.n.E....g..M..R..S....b_[.0+..iT....X`...hQ...h..l4..d.O...X.......>.L.Xn....D.|.Q.{.0]/.S..>.Ry. .=.@w....xKu.w..U......Z.8<...v..>_9L....y.".*..A2...A..QW.=.....,G..4.O.\M.s.Lig....> .........^..H.`lb$.......2._7.c....|!n.O4%?>O.*.'.5|..fI.......i.N]".8....1...b.L.Ev.....$._..O@..j$....(.pW....._.O...U..j3....(ag].3v..[...E..>..U.kh..M...;..~R+.3.f.....0.V.T+AC.Z.J..F..W~11.YD....|i.c.a.W{................P..R{S.] x..c.x3....J.f....._...+
                                                                                                      C:\Users\user\AppData\Local\Temp\imrixuzycldld
                                                                                                      Process:C:\Users\user\Desktop\i6xFULh8J5.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):56353
                                                                                                      Entropy (8bit):4.960718014510871
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:PtBIk3+DDvjQSgCsBn/7sUA+J2/yBjJi+X7eqJpVxdk2q8xlB9mPiM8+xlMg8VS:1y/DCdBDsd+JQelnVxdkB8/B9mPi2yVS
                                                                                                      MD5:9C22DFC73C577BE53A2D0216ED1D846F
                                                                                                      SHA1:B6C3D777BFD8D4EA20AF30D77D413B50B558CB88
                                                                                                      SHA-256:CC6D0EC0C062FBB1934B0CDE671CD19F10130B7773F707F3CEBFC48841268DE3
                                                                                                      SHA-512:ED4A93461E65AD09228481AA973082F4319453ED77D62273E8535C8DD25FD7C92CA4BB1CF4A5D467E1D1B04593B9CEE3E30079CC682F32D8242E84BDD0C0DF00
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview: U...........p...).q.....r.....s.....t.....u.....v...k.w.....x.....y...d.z.....{.....|.....}...k.~.....................f.....O...............................................................................................6...........................................................k...................................k.........................................k.................Z.......................K.....N.................2...................................m...........'.....'.....'...................................2.......................k...................................k.........................................k...........2.....Z.................2.....K.....N.....................................................m...........'.....'.....'.................f.........................................k...........f.......................k...........f
                                                                                                      C:\Users\user\AppData\Local\Temp\nsm5CFB.tmp
                                                                                                      Process:C:\Users\user\Desktop\i6xFULh8J5.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):388931
                                                                                                      Entropy (8bit):7.644285707033539
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:ph4l0wrd3yw6dDxCbwJQ2BYabuiDeD7rSphe5Tx/J81Y45s/ZQjkIuPut:KrNyzCbwGebpheTx/JusCjkI8m
                                                                                                      MD5:779592F0B8F98EBF3E724421735E1876
                                                                                                      SHA1:97C3E60CF03CBF2F57F78A172E09A53DB520F9E5
                                                                                                      SHA-256:9066D1B11F2B6FB122A37F20AA9DFD2FFFC99230A3328844E5BFBB79857FCE9A
                                                                                                      SHA-512:3F97F51DCA3A32825DB0806304137B16DDDBED911FBFAFEF70ACDA34D8093AC3C90B6EADA45FF32A190D1B8E0A279915E82AF5BE5EE5AEBCDCB69E12C3D18D53
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview: .m......,.......................LP......,l.......l..............................................................#...........................................................................................................................................................................J...................j...........................................................................................................................................W...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                      C:\Users\user\AppData\Local\Temp\nsm5CFC.tmp\System.dll
                                                                                                      Process:C:\Users\user\Desktop\i6xFULh8J5.exe
                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):11776
                                                                                                      Entropy (8bit):5.855045165595541
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                      MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                      SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                      SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                      SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse
                                                                                                      • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                                      • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                                      • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                                      • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                                      • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                      • Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
                                                                                                      • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                      • Filename: 3arZKnr21W.exe, Detection: malicious, Browse
                                                                                                      • Filename: Shipping receipt.exe, Detection: malicious, Browse
                                                                                                      • Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse
                                                                                                      • Filename: YZ8OvkljWm.exe, Detection: malicious, Browse
                                                                                                      • Filename: U03c2doc.exe, Detection: malicious, Browse
                                                                                                      • Filename: QUOTE061021.exe, Detection: malicious, Browse
                                                                                                      • Filename: PAYMENT CONFIRMATION.exe, Detection: malicious, Browse
                                                                                                      • Filename: PO187439.exe, Detection: malicious, Browse
                                                                                                      • Filename: 090009000000090.exe, Detection: malicious, Browse
                                                                                                      • Filename: NEWORDERLIST.exe, Detection: malicious, Browse
                                                                                                      • Filename: 00404000004.exe, Detection: malicious, Browse
                                                                                                      • Filename: 40900900090000.exe, Detection: malicious, Browse
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                      C:\Users\user\AppData\Roaming\xnpbd3fr.5ju\Chrome\Default\Cookies
                                                                                                      Process:C:\Users\user\Desktop\i6xFULh8J5.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):0.7006690334145785
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                                                      MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                                                      SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                                                      SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                                                      SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                      Entropy (8bit):7.080951210547221
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:i6xFULh8J5.exe
                                                                                                      File size:540995
                                                                                                      MD5:6c425cf25da766d3d98597a9be4e7300
                                                                                                      SHA1:874344555856dca223730f32ac81b8a743db4cfd
                                                                                                      SHA256:0b72882fbad7f826525003747565e03257ad2e9f60b70d53fe11686dfff1705c
                                                                                                      SHA512:6a43093a9eb59d68c6fc7347eab380bd9dd35d4b8badc58eb744643e6a7b97425b6b5f21078c46bd9ef988c4ec4b813a14cf2a92f8e2e557c0dda5d82a6a87a9
                                                                                                      SSDEEP:6144:6sS4XfaAuVCZHen8rTxSLMsM30U2ckP0v5AhLxr0sQfjF9fc5+L+k6uzVXvC2f/N:skNfxxvxe0RAz4eo4cVRf/pJdNoSAg
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

                                                                                                      File Icon

                                                                                                      Icon Hash:31f8d4f0e8f47080

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x40323c
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:099c0646ea7282d232219f8807883be0

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      sub esp, 00000180h
                                                                                                      push ebx
                                                                                                      push ebp
                                                                                                      push esi
                                                                                                      xor ebx, ebx
                                                                                                      push edi
                                                                                                      mov dword ptr [esp+18h], ebx
                                                                                                      mov dword ptr [esp+10h], 00409130h
                                                                                                      xor esi, esi
                                                                                                      mov byte ptr [esp+14h], 00000020h
                                                                                                      call dword ptr [00407030h]
                                                                                                      push 00008001h
                                                                                                      call dword ptr [004070B4h]
                                                                                                      push ebx
                                                                                                      call dword ptr [0040727Ch]
                                                                                                      push 00000008h
                                                                                                      mov dword ptr [00423F58h], eax
                                                                                                      call 00007F2FACA0072Eh
                                                                                                      mov dword ptr [00423EA4h], eax
                                                                                                      push ebx
                                                                                                      lea eax, dword ptr [esp+34h]
                                                                                                      push 00000160h
                                                                                                      push eax
                                                                                                      push ebx
                                                                                                      push 0041F458h
                                                                                                      call dword ptr [00407158h]
                                                                                                      push 004091B8h
                                                                                                      push 004236A0h
                                                                                                      call 00007F2FACA003E1h
                                                                                                      call dword ptr [004070B0h]
                                                                                                      mov edi, 00429000h
                                                                                                      push eax
                                                                                                      push edi
                                                                                                      call 00007F2FACA003CFh
                                                                                                      push ebx
                                                                                                      call dword ptr [0040710Ch]
                                                                                                      cmp byte ptr [00429000h], 00000022h
                                                                                                      mov dword ptr [00423EA0h], eax
                                                                                                      mov eax, edi
                                                                                                      jne 00007F2FAC9FDB2Ch
                                                                                                      mov byte ptr [esp+14h], 00000022h
                                                                                                      mov eax, 00429001h
                                                                                                      push dword ptr [esp+14h]
                                                                                                      push eax
                                                                                                      call 00007F2FAC9FFEC2h
                                                                                                      push eax
                                                                                                      call dword ptr [0040721Ch]
                                                                                                      mov dword ptr [esp+1Ch], eax
                                                                                                      jmp 00007F2FAC9FDB85h
                                                                                                      cmp cl, 00000020h
                                                                                                      jne 00007F2FAC9FDB28h
                                                                                                      inc eax
                                                                                                      cmp byte ptr [eax], 00000020h
                                                                                                      je 00007F2FAC9FDB1Ch
                                                                                                      cmp byte ptr [eax], 00000022h
                                                                                                      mov byte ptr [eax+eax+00h], 00000000h

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x2ea88.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rdata0x70000x11900x1200False0.4453125data5.18162709925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                      .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x2c0000x2ea880x2ec00False0.348648479278data4.44560190393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_ICON0x2c3100x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                      RT_ICON0x3cb380x94a8dataEnglishUnited States
                                                                                                      RT_ICON0x45fe00x69dfPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                      RT_ICON0x4c9c00x5488dataEnglishUnited States
                                                                                                      RT_ICON0x51e480x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                                                      RT_ICON0x560700x25a8dataEnglishUnited States
                                                                                                      RT_ICON0x586180x10a8dataEnglishUnited States
                                                                                                      RT_ICON0x596c00x988dataEnglishUnited States
                                                                                                      RT_ICON0x5a0480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                      RT_DIALOG0x5a4b00x100dataEnglishUnited States
                                                                                                      RT_DIALOG0x5a5b00x11cdataEnglishUnited States
                                                                                                      RT_DIALOG0x5a6d00x60dataEnglishUnited States
                                                                                                      RT_GROUP_ICON0x5a7300x84dataEnglishUnited States
                                                                                                      RT_MANIFEST0x5a7b80x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                                      USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                      SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                      Possible Origin

                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                      EnglishUnited States

                                                                                                      Network Behavior

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jun 10, 2021 16:33:07.274609089 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.326955080 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.327167034 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.407892942 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.408173084 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.461004972 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.461407900 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.515892029 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.565799952 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.580606937 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.648952961 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.648987055 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.649003029 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.649015903 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.649085045 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.649135113 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.660783052 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.687160015 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:07.739372015 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.784548044 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.020052910 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.072082996 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.077243090 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.132307053 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.133141994 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.224497080 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.434758902 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.439166069 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.491475105 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.494575024 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.587511063 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.656271935 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.656836033 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.708772898 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.710311890 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.710545063 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.711524963 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.711668015 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:08.762227058 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.762279034 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.763242960 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:08.763271093 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:09.346879959 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:09.394067049 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:10.824043989 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:10.878382921 CEST58749759185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:10.878556013 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:10.995899916 CEST49759587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.462141037 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.513782024 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.515136957 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.592566013 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.593064070 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.645109892 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.647048950 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.701004028 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.701805115 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.767189980 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.767231941 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.767256021 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.767273903 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.767350912 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.771059036 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.778059006 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.831494093 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.834542036 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.886405945 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.890369892 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:11.943137884 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.947787046 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.013725996 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.014375925 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.066332102 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.067073107 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.158375978 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.195329905 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.195959091 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.249341965 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.251629114 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.251985073 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.252207994 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.252445936 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.252789974 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.252998114 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.253166914 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.253369093 CEST49760587192.168.2.4185.145.97.154
                                                                                                      Jun 10, 2021 16:33:12.303487062 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.303580046 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.303770065 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.303972006 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.304379940 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.304408073 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.304498911 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.304703951 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.304862976 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.335310936 CEST58749760185.145.97.154192.168.2.4
                                                                                                      Jun 10, 2021 16:33:12.378856897 CEST49760587192.168.2.4185.145.97.154

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jun 10, 2021 16:31:08.820503950 CEST5912353192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:08.843307972 CEST5453153192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:08.879436016 CEST53591238.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:08.893702030 CEST53545318.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:10.896902084 CEST4971453192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:10.946814060 CEST53497148.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:11.488945007 CEST5802853192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:11.548984051 CEST53580288.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:11.694916010 CEST5309753192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:11.754446983 CEST53530978.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:12.785131931 CEST4925753192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:12.846481085 CEST53492578.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:13.758203030 CEST6238953192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:13.817022085 CEST53623898.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:14.906419039 CEST4991053192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:14.959626913 CEST53499108.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:15.753509998 CEST5585453192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:15.807682037 CEST53558548.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:16.760272980 CEST6454953192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:16.814701080 CEST53645498.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:17.618000984 CEST6315353192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:17.668526888 CEST53631538.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:18.765999079 CEST5299153192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:18.816210985 CEST53529918.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:20.161376953 CEST5370053192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:20.220058918 CEST53537008.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:20.983668089 CEST5172653192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:21.034496069 CEST53517268.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:21.927871943 CEST5679453192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:21.981107950 CEST53567948.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:23.025336981 CEST5653453192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:23.076498985 CEST53565348.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:23.947134972 CEST5662753192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:23.997332096 CEST53566278.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:25.099188089 CEST5662153192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:25.149590969 CEST53566218.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:25.884020090 CEST6311653192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:25.934185028 CEST53631168.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:27.044317007 CEST6407853192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:27.094527960 CEST53640788.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:27.907584906 CEST6480153192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:27.959486008 CEST53648018.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:31:42.805233002 CEST6172153192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:31:42.878016949 CEST53617218.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:03.273896933 CEST5125553192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:03.489829063 CEST53512558.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:04.081512928 CEST6152253192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:04.147088051 CEST53615228.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:04.285444021 CEST5233753192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:04.357515097 CEST53523378.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:04.563460112 CEST5504653192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:04.693949938 CEST53550468.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:05.695972919 CEST4961253192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:05.757884979 CEST53496128.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:06.557415962 CEST4928553192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:06.622850895 CEST53492858.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:07.720948935 CEST5060153192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:07.775743961 CEST53506018.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:08.705986023 CEST6087553192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:08.769689083 CEST53608758.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:09.829175949 CEST5644853192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:09.892926931 CEST53564488.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:11.528718948 CEST5917253192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:11.590265036 CEST53591728.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:15.036381006 CEST6242053192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:15.098016024 CEST53624208.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:15.849589109 CEST6057953192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:15.911247015 CEST53605798.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:19.823508978 CEST5018353192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:19.885330915 CEST53501838.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:53.078896046 CEST6153153192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:53.153359890 CEST53615318.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:32:54.225924969 CEST4922853192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:32:54.301631927 CEST53492288.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.010297060 CEST5979453192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:33:07.077755928 CEST53597948.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:33:07.089621067 CEST5591653192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:33:07.151684999 CEST53559168.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.307936907 CEST5275253192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:33:11.366795063 CEST53527528.8.8.8192.168.2.4
                                                                                                      Jun 10, 2021 16:33:11.389303923 CEST6054253192.168.2.48.8.8.8
                                                                                                      Jun 10, 2021 16:33:11.458507061 CEST53605428.8.8.8192.168.2.4

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                      Jun 10, 2021 16:33:07.010297060 CEST192.168.2.48.8.8.80x32a0Standard query (0)mail.mytravelws.comA (IP address)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:07.089621067 CEST192.168.2.48.8.8.80x3c7aStandard query (0)mail.mytravelws.comA (IP address)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:11.307936907 CEST192.168.2.48.8.8.80x10e9Standard query (0)mail.mytravelws.comA (IP address)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:11.389303923 CEST192.168.2.48.8.8.80xca35Standard query (0)mail.mytravelws.comA (IP address)IN (0x0001)

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                      Jun 10, 2021 16:33:07.077755928 CEST8.8.8.8192.168.2.40x32a0No error (0)mail.mytravelws.commytravelws.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:07.077755928 CEST8.8.8.8192.168.2.40x32a0No error (0)mytravelws.com185.145.97.154A (IP address)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:07.151684999 CEST8.8.8.8192.168.2.40x3c7aNo error (0)mail.mytravelws.commytravelws.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:07.151684999 CEST8.8.8.8192.168.2.40x3c7aNo error (0)mytravelws.com185.145.97.154A (IP address)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:11.366795063 CEST8.8.8.8192.168.2.40x10e9No error (0)mail.mytravelws.commytravelws.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:11.366795063 CEST8.8.8.8192.168.2.40x10e9No error (0)mytravelws.com185.145.97.154A (IP address)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:11.458507061 CEST8.8.8.8192.168.2.40xca35No error (0)mail.mytravelws.commytravelws.comCNAME (Canonical name)IN (0x0001)
                                                                                                      Jun 10, 2021 16:33:11.458507061 CEST8.8.8.8192.168.2.40xca35No error (0)mytravelws.com185.145.97.154A (IP address)IN (0x0001)

                                                                                                      SMTP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                      Jun 10, 2021 16:33:07.407892942 CEST58749759185.145.97.154192.168.2.4220-servertrv.mytravelws.com ESMTP Exim 4.94.2 #2 Thu, 10 Jun 2021 14:33:07 +0000
                                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                                      220 and/or bulk e-mail.
                                                                                                      Jun 10, 2021 16:33:07.408173084 CEST49759587192.168.2.4185.145.97.154EHLO 301389
                                                                                                      Jun 10, 2021 16:33:07.461004972 CEST58749759185.145.97.154192.168.2.4250-servertrv.mytravelws.com Hello 301389 [84.17.52.18]
                                                                                                      250-SIZE 52428800
                                                                                                      250-8BITMIME
                                                                                                      250-PIPELINING
                                                                                                      250-PIPE_CONNECT
                                                                                                      250-STARTTLS
                                                                                                      250 HELP
                                                                                                      Jun 10, 2021 16:33:07.461407900 CEST49759587192.168.2.4185.145.97.154STARTTLS
                                                                                                      Jun 10, 2021 16:33:07.515892029 CEST58749759185.145.97.154192.168.2.4220 TLS go ahead
                                                                                                      Jun 10, 2021 16:33:11.592566013 CEST58749760185.145.97.154192.168.2.4220-servertrv.mytravelws.com ESMTP Exim 4.94.2 #2 Thu, 10 Jun 2021 14:33:11 +0000
                                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                                      220 and/or bulk e-mail.
                                                                                                      Jun 10, 2021 16:33:11.593064070 CEST49760587192.168.2.4185.145.97.154EHLO 301389
                                                                                                      Jun 10, 2021 16:33:11.645109892 CEST58749760185.145.97.154192.168.2.4250-servertrv.mytravelws.com Hello 301389 [84.17.52.18]
                                                                                                      250-SIZE 52428800
                                                                                                      250-8BITMIME
                                                                                                      250-PIPELINING
                                                                                                      250-PIPE_CONNECT
                                                                                                      250-STARTTLS
                                                                                                      250 HELP
                                                                                                      Jun 10, 2021 16:33:11.647048950 CEST49760587192.168.2.4185.145.97.154STARTTLS
                                                                                                      Jun 10, 2021 16:33:11.701004028 CEST58749760185.145.97.154192.168.2.4220 TLS go ahead

                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Start time:16:31:16
                                                                                                      Start date:10/06/2021
                                                                                                      Path:C:\Users\user\Desktop\i6xFULh8J5.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\Desktop\i6xFULh8J5.exe'
                                                                                                      Imagebase:0x400000
                                                                                                      File size:540995 bytes
                                                                                                      MD5 hash:6C425CF25DA766D3D98597A9BE4E7300
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.657892904.00000000022C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Start time:16:31:17
                                                                                                      Start date:10/06/2021
                                                                                                      Path:C:\Users\user\Desktop\i6xFULh8J5.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\Desktop\i6xFULh8J5.exe'
                                                                                                      Imagebase:0x400000
                                                                                                      File size:540995 bytes
                                                                                                      MD5 hash:6C425CF25DA766D3D98597A9BE4E7300
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.915053341.0000000002310000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.913772727.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.916734898.0000000004862000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.915137007.0000000002381000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.915996454.0000000003381000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.915996454.0000000003381000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000001.654864588.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000001.654864588.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.914093005.0000000000549000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.914093005.0000000000549000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      Reputation:low

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >