Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report supply us this product.exe

Overview

General Information

Sample Name:supply us this product.exe
Analysis ID:432673
MD5:958f243581dc2eda4e763086875e9a0b
SHA1:cd163dd563fa0cda762ab9c5df8743f053fed612
SHA256:ae44346a0297d8a9deab5419ff2b4679b83646abbed05b835c90fc33eb3ce2d5
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • supply us this product.exe (PID: 5764 cmdline: 'C:\Users\user\Desktop\supply us this product.exe' MD5: 958F243581DC2EDA4E763086875E9A0B)
    • supply us this product.exe (PID: 4800 cmdline: C:\Users\user\Desktop\supply us this product.exe MD5: 958F243581DC2EDA4E763086875E9A0B)
    • supply us this product.exe (PID: 4772 cmdline: C:\Users\user\Desktop\supply us this product.exe MD5: 958F243581DC2EDA4E763086875E9A0B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.supply us this product.exe.3770470.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.supply us this product.exe.3770470.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.supply us this product.exe.3770470.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.supply us this product.exe.3770470.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.2.supply us this product.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.supply us this product.exe.3770470.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}
                      Source: 5.2.supply us this product.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.supply us this product.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: supply us this product.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: supply us this product.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb<O source: supply us this product.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb source: supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: global trafficTCP traffic: 192.168.2.3:49759 -> 50.87.146.199:587
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: global trafficTCP traffic: 192.168.2.3:49759 -> 50.87.146.199:587
                      Source: unknownDNS traffic detected: queries for: mail.scottbyscott.com
                      Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: supply us this product.exe, 00000005.00000002.478257571.0000000002AF7000.00000004.00000001.sdmp, supply us this product.exe, 00000005.00000002.478643570.0000000002B54000.00000004.00000001.sdmpString found in binary or memory: http://htwqxRSsZE4FT.org
                      Source: supply us this product.exe, 00000005.00000002.478483716.0000000002B30000.00000004.00000001.sdmpString found in binary or memory: http://mail.scottbyscott.com
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: supply us this product.exe, 00000001.00000002.216030237.00000000024F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: supply us this product.exe, 00000005.00000002.478483716.0000000002B30000.00000004.00000001.sdmpString found in binary or memory: http://scottbyscott.com
                      Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://vmyBzt.com
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: supply us this product.exe, 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, supply us this product.exe, 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\supply us this product.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\supply us this product.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.supply us this product.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9AB3E9B2u002dCCCAu002d4F7Du002d85E1u002d8625B6C7A3E5u007d/u003129E41EDu002d6F52u002d4B23u002d9F03u002d59879E427C5D.csLarge array initialization: .cctor: array initializer size 11994
                      Source: 5.0.supply us this product.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b9AB3E9B2u002dCCCAu002d4F7Du002d85E1u002d8625B6C7A3E5u007d/u003129E41EDu002d6F52u002d4B23u002d9F03u002d59879E427C5D.csLarge array initialization: .cctor: array initializer size 11994
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_024B94A8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_024BC148
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_024BA758
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FB440
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FF3B0
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FACF0
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FBE70
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F7B00
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F7548
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F7550
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FB433
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FA179
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FA188
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FF1B8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F0040
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F003E
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FACEB
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FECE8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FEF20
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FBE6E
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FDB60
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F7AFB
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B12B510
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B124500
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1289E7
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B124018
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1247F8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1247E9
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B128A4E
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1236DC
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B123110
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B128810
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B126810
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B128801
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B120006
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B124008
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B125C31
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B128450
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B120040
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B125C40
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B128441
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1230C9
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1244EF
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D147A0
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D14790
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D383B0
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D3A778
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D35940
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D32EC8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D32F3A
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D66818
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D65AB8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D66230
                      Source: supply us this product.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: supply us this product.exe, 00000001.00000002.220189281.0000000005620000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs supply us this product.exe
                      Source: supply us this product.exe, 00000001.00000002.214120101.000000000018A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
                      Source: supply us this product.exe, 00000001.00000002.216030237.00000000024F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedpmEuvYxooWcRZhqwNkcIIeFuEcnrQym.exe4 vs supply us this product.exe
                      Source: supply us this product.exe, 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs supply us this product.exe
                      Source: supply us this product.exe, 00000003.00000000.210980526.00000000004EA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.472757335.000000000058A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.475727960.0000000000D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.473311587.00000000009D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamedpmEuvYxooWcRZhqwNkcIIeFuEcnrQym.exe4 vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.473017146.0000000000938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs supply us this product.exe
                      Source: supply us this product.exeBinary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
                      Source: supply us this product.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: supply us this product.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.supply us this product.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.supply us this product.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.supply us this product.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.supply us this product.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@5/2@2/1
                      Source: C:\Users\user\Desktop\supply us this product.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\supply us this product.exe.logJump to behavior
                      Source: supply us this product.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\supply us this product.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\supply us this product.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\supply us this product.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\supply us this product.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: unknownProcess created: C:\Users\user\Desktop\supply us this product.exe 'C:\Users\user\Desktop\supply us this product.exe'
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\supply us this product.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\supply us this product.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: supply us this product.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: supply us this product.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: supply us this product.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb<O source: supply us this product.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb source: supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FB3B0 push eax; retf
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B124B6E push ebx; retf
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B127DDA push ecx; retf
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B127DE1 push ecx; retf
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B12805D push esp; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95544670392
                      Source: C:\Users\user\Desktop\supply us this product.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: supply us this product.exe PID: 5764, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\supply us this product.exeWindow / User API: threadDelayed 2046
                      Source: C:\Users\user\Desktop\supply us this product.exeWindow / User API: threadDelayed 7805
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 4768Thread sleep time: -101949s >= -30000s
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 5108Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 1064Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 1048Thread sleep count: 2046 > 30
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 1048Thread sleep count: 7805 > 30
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 101949
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 922337203685477
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}"_
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D3B6E8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\supply us this product.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\supply us this product.exeMemory written: C:\Users\user\Desktop\supply us this product.exe base: 400000 value starts with: 4D5A
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\supply us this product.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.476156488.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: supply us this product.exe, 00000005.00000002.476156488.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: supply us this product.exe, 00000005.00000002.476156488.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: supply us this product.exe, 00000005.00000002.476156488.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Users\user\Desktop\supply us this product.exe VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Users\user\Desktop\supply us this product.exe VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\supply us this product.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\supply us this product.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.supply us this product.exe.3770470.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.supply us this product.exe.3770470.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.supply us this product.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.supply us this product.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.supply us this product.exe.35bbe30.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: supply us this product.exe PID: 5764, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: supply us this product.exe PID: 4772, type: MEMORY
                      Source: Yara matchFile source: 1.2.supply us this product.exe.3770470.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.supply us this product.exe.3770470.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.supply us this product.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.supply us this product.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.supply us this product.exe.35bbe30.1.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\supply us this product.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\supply us this product.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\supply us this product.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\supply us this product.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\supply us this product.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\supply us this product.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\supply us this product.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\supply us this product.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\supply us this product.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: supply us this product.exe PID: 4772, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.2.supply us this product.exe.3770470.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.supply us this product.exe.3770470.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.supply us this product.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.supply us this product.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.supply us this product.exe.35bbe30.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: supply us this product.exe PID: 5764, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: supply us this product.exe PID: 4772, type: MEMORY
                      Source: Yara matchFile source: 1.2.supply us this product.exe.3770470.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.supply us this product.exe.3770470.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.supply us this product.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.supply us this product.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.supply us this product.exe.35bbe30.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture11Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing3LSA SecretsVirtualization/Sandbox Evasion131SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      supply us this product.exe9%ReversingLabsByteCode-MSIL.Spyware.Negasteal

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.supply us this product.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.supply us this product.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://scottbyscott.com0%Avira URL Cloudsafe
                      http://htwqxRSsZE4FT.org0%Avira URL Cloudsafe
                      http://mail.scottbyscott.com0%Avira URL Cloudsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://vmyBzt.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      scottbyscott.com
                      		50.87.146.199
                      		truetrue
                        		unknown
                        mail.scottbyscott.com
                        		unknown
                        		unknowntrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://DynDns.comDynDNSsupply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://scottbyscott.comsupply us this product.exe, 00000005.00000002.478483716.0000000002B30000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://htwqxRSsZE4FT.orgsupply us this product.exe, 00000005.00000002.478257571.0000000002AF7000.00000004.00000001.sdmp, supply us this product.exe, 00000005.00000002.478643570.0000000002B54000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://mail.scottbyscott.comsupply us this product.exe, 00000005.00000002.478483716.0000000002B30000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://cps.letsencrypt.org0supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hasupply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://x1.c.lencr.org/0supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://x1.i.lencr.org/0supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://r3.o.lencr.org0supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://vmyBzt.comsupply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesupply us this product.exe, 00000001.00000002.216030237.00000000024F1000.00000004.00000001.sdmpfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipsupply us this product.exe, 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, supply us this product.exe, 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.csssupply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpfalse
                              		high
                              http://cps.root-x1.letsencrypt.org0supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://r3.i.lencr.org/0supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              50.87.146.199
                              		scottbyscott.comUnited States
                              		46606UNIFIEDLAYER-AS-1UStrue

                              General Information

                              Joe Sandbox Version:32.0.0 Black Diamond
                              Analysis ID:432673
                              Start date:10.06.2021
                              Start time:16:42:14
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 10m 6s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:supply us this product.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:31
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.adwa.spyw.evad.winEXE@5/2@2/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 1.1% (good quality ratio 1%)
                              • Quality average: 47.9%
                              • Quality standard deviation: 25.7%
                              HCA Information:
                              • Successful, ratio: 98%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 13.88.21.125, 92.122.145.220, 168.61.161.212, 184.30.20.56, 20.49.157.6, 51.103.5.159, 2.20.142.209, 2.20.142.210, 20.75.105.140, 20.54.26.129, 20.72.88.19, 92.122.213.194, 92.122.213.247, 20.82.210.154
                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              16:43:04API Interceptor740x Sleep call for process: supply us this product.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              UNIFIEDLAYER-AS-1US#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTMGet hashmaliciousBrowse
                              • 192.185.74.169
                              3arZKnr21W.exeGet hashmaliciousBrowse
                              • 192.254.235.195
                              6b6zVfqxbk.xlsbGet hashmaliciousBrowse
                              • 216.172.184.23
                              HM-20210428 HBL.exeGet hashmaliciousBrowse
                              • 192.254.180.165
                              INQUIRY. ZIP.exeGet hashmaliciousBrowse
                              • 50.87.190.227
                              audit-78958169.xlsbGet hashmaliciousBrowse
                              • 192.185.113.120
                              research-1315978726.xlsbGet hashmaliciousBrowse
                              • 216.172.184.23
                              ExHNIXd73f.exeGet hashmaliciousBrowse
                              • 108.167.142.232
                              research-2012220787.xlsbGet hashmaliciousBrowse
                              • 216.172.184.23
                              research-2012220787.xlsbGet hashmaliciousBrowse
                              • 216.172.184.23
                              viVrtGR9Wg.xlsbGet hashmaliciousBrowse
                              • 192.185.113.120
                              DEMLwnv0Nt.xlsbGet hashmaliciousBrowse
                              • 192.185.113.120
                              audit-367497006.xlsbGet hashmaliciousBrowse
                              • 192.185.113.120
                              analysis-31947858.xlsbGet hashmaliciousBrowse
                              • 108.167.156.223
                              analysis-1593377733.xlsbGet hashmaliciousBrowse
                              • 108.167.156.223
                              research-531942606.xlsbGet hashmaliciousBrowse
                              • 192.185.33.8
                              OM PHOENIX TRADERS.exeGet hashmaliciousBrowse
                              • 192.254.185.244
                              research-121105165.xlsbGet hashmaliciousBrowse
                              • 192.185.33.8
                              research-76934760.xlsbGet hashmaliciousBrowse
                              • 192.185.33.8
                              research-1960540844.xlsxGet hashmaliciousBrowse
                              • 192.185.33.8

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\supply us this product.exe.log
                              Process:C:\Users\user\Desktop\supply us this product.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1314
                              Entropy (8bit):5.350128552078965
                              Encrypted:false
                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                              C:\Windows\System32\drivers\etc\hosts
                              Process:C:\Users\user\Desktop\supply us this product.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):11
                              Entropy (8bit):2.663532754804255
                              Encrypted:false
                              SSDEEP:3:iLE:iLE
                              MD5:B24D295C1F84ECBFB566103374FB91C5
                              SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                              SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                              SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview: ..127.0.0.1

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.607581520365733
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:supply us this product.exe
                              File size:907264
                              MD5:958f243581dc2eda4e763086875e9a0b
                              SHA1:cd163dd563fa0cda762ab9c5df8743f053fed612
                              SHA256:ae44346a0297d8a9deab5419ff2b4679b83646abbed05b835c90fc33eb3ce2d5
                              SHA512:da0face65969d9ec3626eae938111a7bd863a842b19fbd8ecefc8df6dd011652a157ab476d857d8af7e7a8506bf6e4a4de205958242ddbf059c9a6791fcd78c3
                              SSDEEP:12288:bUV7Cwg8mnQigQl1j/Bi31o8BAAmx9HvBI0RA43AGDhZM4e/ZUdtb:bmC4mjgQzj/BiFFafx9F9AchNeBUdt
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..`..............P..0..........fO... ...`....@.. .......................@............@................................

                              File Icon

                              Icon Hash:8c8caa8e9692aa00

                              Static PE Info

                              General

                              Entrypoint:0x4b4f66
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x60C2164D [Thu Jun 10 13:40:29 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb4f140x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x2a3d4.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb4ddc0x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xb2f6c0xb3000False0.946567300978data7.95544670392IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0xb60000x2a3d40x2a400False0.12447993713data4.17411605052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0xb62000x2326PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                              RT_ICON0xb85380x10828dBase III DBT, version number 0, next free block index 40
                              RT_ICON0xc8d700x94a8data
                              RT_ICON0xd22280x5488data
                              RT_ICON0xd76c00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                              RT_ICON0xdb8f80x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                              RT_ICON0xddeb00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                              RT_ICON0xdef680x988data
                              RT_ICON0xdf9000x468GLS_BINARY_LSB_FIRST
                              RT_GROUP_ICON0xdfd780x84data
                              RT_VERSION0xdfe0c0x3c8data
                              RT_MANIFEST0xe01e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightPaul Harris 2016
                              Assembly Version251.2.0.0
                              InternalNameMultiProducerMultiConsumerQueue.exe
                              FileVersion251.2.0.0
                              CompanyNamePaul Harris
                              LegalTrademarks
                              Comments1992 Alpine A 610
                              ProductNameReloadManager
                              ProductVersion251.2.0.0
                              FileDescriptionReloadManager
                              OriginalFilenameMultiProducerMultiConsumerQueue.exe

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jun 10, 2021 16:45:00.939832926 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:01.126144886 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:01.126327038 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:03.956713915 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:03.957417011 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:04.145348072 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:04.145904064 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:04.340920925 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:04.388159990 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:04.430222988 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:04.629743099 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:04.629796982 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:04.629833937 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:04.629861116 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:04.629941940 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:04.629987955 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:04.633068085 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:04.641385078 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:04.829282999 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:04.872855902 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:05.129991055 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:05.316404104 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:05.320581913 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:05.507282972 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:05.508452892 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:05.734195948 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:05.736284971 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:05.923954964 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:05.924567938 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:06.151444912 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:06.181214094 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:06.182041883 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:06.368148088 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:06.374519110 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:06.375176907 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:06.375197887 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:06.375343084 CEST49759587192.168.2.350.87.146.199
                              Jun 10, 2021 16:45:06.562066078 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:06.563066959 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:06.563081980 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:06.563087940 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:06.563599110 CEST5874975950.87.146.199192.168.2.3
                              Jun 10, 2021 16:45:06.606982946 CEST49759587192.168.2.350.87.146.199

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jun 10, 2021 16:42:56.258388042 CEST5836153192.168.2.38.8.8.8
                              Jun 10, 2021 16:42:56.319225073 CEST53583618.8.8.8192.168.2.3
                              Jun 10, 2021 16:42:57.368027925 CEST6349253192.168.2.38.8.8.8
                              Jun 10, 2021 16:42:57.421149969 CEST53634928.8.8.8192.168.2.3
                              Jun 10, 2021 16:42:58.138667107 CEST6083153192.168.2.38.8.8.8
                              Jun 10, 2021 16:42:58.201411009 CEST53608318.8.8.8192.168.2.3
                              Jun 10, 2021 16:42:58.453378916 CEST6010053192.168.2.38.8.8.8
                              Jun 10, 2021 16:42:58.506350994 CEST53601008.8.8.8192.168.2.3
                              Jun 10, 2021 16:42:59.334577084 CEST5319553192.168.2.38.8.8.8
                              Jun 10, 2021 16:42:59.384685040 CEST53531958.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:00.542500973 CEST5014153192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:00.592962027 CEST53501418.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:02.315161943 CEST5302353192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:02.374692917 CEST53530238.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:03.483397007 CEST4956353192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:03.535886049 CEST53495638.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:04.511207104 CEST5135253192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:04.561410904 CEST53513528.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:05.431035042 CEST5934953192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:05.481168985 CEST53593498.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:06.362893105 CEST5708453192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:06.413151979 CEST53570848.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:07.311208963 CEST5882353192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:07.361267090 CEST53588238.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:08.266130924 CEST5756853192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:08.316145897 CEST53575688.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:09.190562010 CEST5054053192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:09.243616104 CEST53505408.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:10.355942965 CEST5436653192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:10.414921999 CEST53543668.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:11.941920042 CEST5303453192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:11.995295048 CEST53530348.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:12.893654108 CEST5776253192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:12.945406914 CEST53577628.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:13.806236029 CEST5543553192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:13.856189013 CEST53554358.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:14.890638113 CEST5071353192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:14.940960884 CEST53507138.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:31.883455992 CEST5613253192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:31.946002960 CEST53561328.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:32.657687902 CEST5898753192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:32.727158070 CEST53589878.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:52.599786043 CEST5657953192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:52.660857916 CEST53565798.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:53.060441017 CEST6063353192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:53.121721983 CEST53606338.8.8.8192.168.2.3
                              Jun 10, 2021 16:43:53.232753992 CEST6129253192.168.2.38.8.8.8
                              Jun 10, 2021 16:43:53.293638945 CEST53612928.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:02.579128027 CEST6361953192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:02.731652975 CEST53636198.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:03.747196913 CEST6493853192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:03.806921005 CEST53649388.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:04.490444899 CEST6194653192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:04.565329075 CEST53619468.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:05.022654057 CEST6491053192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:05.165291071 CEST53649108.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:05.983757019 CEST5212353192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:06.046206951 CEST53521238.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:07.050965071 CEST5613053192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:07.102823019 CEST53561308.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:08.087718010 CEST5633853192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:08.146688938 CEST53563388.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:09.115701914 CEST5942053192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:09.166862965 CEST53594208.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:10.718446016 CEST5878453192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:10.782983065 CEST53587848.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:13.084239006 CEST6397853192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:13.145562887 CEST53639788.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:13.169725895 CEST6293853192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:13.229742050 CEST53629388.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:15.495228052 CEST5570853192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:15.554701090 CEST53557088.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:47.731378078 CEST5680353192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:47.807257891 CEST53568038.8.8.8192.168.2.3
                              Jun 10, 2021 16:44:50.020605087 CEST5714553192.168.2.38.8.8.8
                              Jun 10, 2021 16:44:50.083514929 CEST53571458.8.8.8192.168.2.3
                              Jun 10, 2021 16:45:00.238121986 CEST5535953192.168.2.38.8.8.8
                              Jun 10, 2021 16:45:00.436954975 CEST53553598.8.8.8192.168.2.3
                              Jun 10, 2021 16:45:00.766784906 CEST5830653192.168.2.38.8.8.8
                              Jun 10, 2021 16:45:00.826528072 CEST53583068.8.8.8192.168.2.3

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Jun 10, 2021 16:45:00.238121986 CEST192.168.2.38.8.8.80xbed1Standard query (0)mail.scottbyscott.comA (IP address)IN (0x0001)
                              Jun 10, 2021 16:45:00.766784906 CEST192.168.2.38.8.8.80xa072Standard query (0)mail.scottbyscott.comA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Jun 10, 2021 16:45:00.436954975 CEST8.8.8.8192.168.2.30xbed1No error (0)mail.scottbyscott.comscottbyscott.comCNAME (Canonical name)IN (0x0001)
                              Jun 10, 2021 16:45:00.436954975 CEST8.8.8.8192.168.2.30xbed1No error (0)scottbyscott.com50.87.146.199A (IP address)IN (0x0001)
                              Jun 10, 2021 16:45:00.826528072 CEST8.8.8.8192.168.2.30xa072No error (0)mail.scottbyscott.comscottbyscott.comCNAME (Canonical name)IN (0x0001)
                              Jun 10, 2021 16:45:00.826528072 CEST8.8.8.8192.168.2.30xa072No error (0)scottbyscott.com50.87.146.199A (IP address)IN (0x0001)

                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Jun 10, 2021 16:45:03.956713915 CEST5874975950.87.146.199192.168.2.3220-gator3013.hostgator.com ESMTP Exim 4.94.2 #2 Thu, 10 Jun 2021 09:45:03 -0500
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              Jun 10, 2021 16:45:03.957417011 CEST49759587192.168.2.350.87.146.199EHLO 045012
                              Jun 10, 2021 16:45:04.145348072 CEST5874975950.87.146.199192.168.2.3250-gator3013.hostgator.com Hello 045012 [84.17.52.18]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPE_CONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              Jun 10, 2021 16:45:04.145904064 CEST49759587192.168.2.350.87.146.199STARTTLS
                              Jun 10, 2021 16:45:04.340920925 CEST5874975950.87.146.199192.168.2.3220 TLS go ahead

                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: supply us this product.exe PID: 5764 Parent PID: 5780

                              General

                              Start time:16:43:03
                              Start date:10/06/2021
                              Path:C:\Users\user\Desktop\supply us this product.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\supply us this product.exe'
                              Imagebase:0xc0000
                              File size:907264 bytes
                              MD5 hash:958F243581DC2EDA4E763086875E9A0B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Analysis Process: supply us this product.exe PID: 4800 Parent PID: 5764

                              General

                              Start time:16:43:06
                              Start date:10/06/2021
                              Path:C:\Users\user\Desktop\supply us this product.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Users\user\Desktop\supply us this product.exe
                              Imagebase:0x420000
                              File size:907264 bytes
                              MD5 hash:958F243581DC2EDA4E763086875E9A0B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Analysis Process: supply us this product.exe PID: 4772 Parent PID: 5764

                              General

                              Start time:16:43:06
                              Start date:10/06/2021
                              Path:C:\Users\user\Desktop\supply us this product.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\supply us this product.exe
                              Imagebase:0x4c0000
                              File size:907264 bytes
                              MD5 hash:958F243581DC2EDA4E763086875E9A0B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Disassembly

                              Code Analysis

                              Reset < >