Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Variant.MSILHeracles.17940.23513.15553

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.MSILHeracles.17940.23513.15553 (renamed file extension from 15553 to exe)
Analysis ID:433227
MD5:95201005885c91db292adaae627a5d57
SHA1:d172e70ecb7f3206bcd34d7d5b51be54d9bdc350
SHA256:73f2e9b534cff49f248d0d3469902ac7c3150da888786e5cde16a935ce4ce0c2
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • NXLun.exe (PID: 4712 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 4128 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "operations@priserveinfra.comoppipl121019mail.priserveinfra.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Process Start Without DLLShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, ParentProcessId: 6136, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5636
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe' , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, ParentProcessId: 6136, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5636

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "operations@priserveinfra.comoppipl121019mail.priserveinfra.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeVirustotal: Detection: 32%Perma Link
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeReversingLabs: Detection: 30%
                      Machine Learning detection for sampleShow sources
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeJoe Sandbox ML: detected
                      Source: 2.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000007.00000000.260473625.0000000000422000.00000002.00020000.sdmp, NXLun.exe, 00000009.00000002.279694341.0000000000542000.00000002.00020000.sdmp, NXLun.exe.2.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr
                      Source: Binary string: EncodingInfo.pdb source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                      Source: global trafficTCP traffic: 192.168.2.3:49739 -> 50.31.160.189:587
                      Source: Joe Sandbox ViewIP Address: 50.31.160.189 50.31.160.189
                      Source: Joe Sandbox ViewASN Name: SERVERCENTRALUS SERVERCENTRALUS
                      Source: global trafficTCP traffic: 192.168.2.3:49739 -> 50.31.160.189:587
                      Source: unknownDNS traffic detected: queries for: mail.priserveinfra.com
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://CvqG2KRIY7VhTa.o
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.464427936.000000000345D000.00000004.00000001.sdmpString found in binary or memory: http://CvqG2KRIY7VhTa.org
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://hcwBaC.com
                      Source: RegSvcs.exe, 00000002.00000002.464306400.0000000003431000.00000004.00000001.sdmpString found in binary or memory: http://mail.priserveinfra.com
                      Source: RegSvcs.exe, 00000002.00000002.464306400.0000000003431000.00000004.00000001.sdmpString found in binary or memory: http://priserveinfra.com
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/01
                      Source: RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202880593.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202436218.000000000170B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6A3FE371u002d3CF2u002d4647u002dADA6u002dD886DECE5F9Au007d/u0037EBA0FC9u002d2A76u002d4C74u002d87A9u002d38EEF74E4265.csLarge array initialization: .cctor: array initializer size 11961
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6A3FE371u002d3CF2u002d4647u002dADA6u002dD886DECE5F9Au007d/u0037EBA0FC9u002d2A76u002d4C74u002d87A9u002d38EEF74E4265.csLarge array initialization: .cctor: array initializer size 11961
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_01A09A88
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_01A0C728
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_01A0B160
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_03233278
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_03230040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_03230265
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_03230292
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_03230006
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AC588
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AD3F0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AB3C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A80D0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062ABB90
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AF670
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AF468
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AC578
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AE2C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AB3B9
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AC028
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A0006
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AC018
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A0040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A80C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062ABED1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A7B20
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A7B12
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062ABB82
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AA809
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AA818
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062AF898
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018947A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01893CCC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018946B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018946F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01895490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C5A490
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C50374
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C57D98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C5CF80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C56E38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B555C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA228
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.206333132.00000000064B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHjggBhArqxUSGQuHOxtoel.exe4 vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000000.195677731.0000000000F1A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEncodingInfo.exe< vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202436218.000000000170B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeBinary or memory string: OriginalFilenameEncodingInfo.exe< vs SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.e40000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.e40000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4732:120:WilError_01
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeMutant created: \Sessions\1\BaseNamedObjects\HcJtpFXSUxRDGLHOpERU
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_01
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeVirustotal: Detection: 32%
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeReversingLabs: Detection: 30%
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 00000007.00000000.260473625.0000000000422000.00000002.00020000.sdmp, NXLun.exe, 00000009.00000002.279694341.0000000000542000.00000002.00020000.sdmp, NXLun.exe.2.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr
                      Source: Binary string: EncodingInfo.pdb source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.e40000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_03233EFA push esp; ret
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A5622 push es; retf
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A54ED push es; ret
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeCode function: 0_2_062A58BE push es; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C54666 push 8AE8CF8Bh; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C52B21 push 83085F8Bh; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05C52A21 push 83085F8Bh; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B66C8 push cs; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA7E8 push esi; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B8490 push eax; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B6480 push cs; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA21B push ebx; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA008 push edx; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA141 push edx; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA173 push edx; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B9FB0 push edx; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B9C83 push eax; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B9C81 push eax; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065B9C87 push eax; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BAAB8 push esi; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BAB7F push edi; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BAB63 push esi; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA89B push esi; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_065BA899 push esi; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85141834625
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'QcX9xV', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: 0.0.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.e40000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'QcX9xV', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe PID: 6136, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2505
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7267
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe TID: 5648Thread sleep time: -100748s >= -30000s
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe TID: 2432Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 5940Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 4360Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeThread delayed: delay time: 100748
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: RegSvcs.exe, 00000002.00000002.467260283.0000000006460000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: RegSvcs.exe, 00000002.00000002.467168064.0000000006360000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllws\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WS`
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 00000002.00000002.467260283.0000000006460000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: RegSvcs.exe, 00000002.00000002.467260283.0000000006460000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: RegSvcs.exe, 00000002.00000002.467260283.0000000006460000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000002.00000002.462793062.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000002.00000002.462793062.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000002.00000002.462793062.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000002.00000002.462793062.0000000001C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5636, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe PID: 6136, type: MEMORY
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5636, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5636, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe PID: 6136, type: MEMORY
                      Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.44b9398.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe32%VirustotalBrowse
                      SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe30%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      2.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      priserveinfra.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://r3.i.lencr.org/010%VirustotalBrowse
                      http://r3.i.lencr.org/010%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://CvqG2KRIY7VhTa.o0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://CvqG2KRIY7VhTa.org0%Avira URL Cloudsafe
                      http://hcwBaC.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://mail.priserveinfra.com0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://priserveinfra.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      priserveinfra.com
                      		50.31.160.189
                      		truetrueunknown
                      mail.priserveinfra.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://r3.i.lencr.org/01RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://DynDns.comDynDNSRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://cps.letsencrypt.org0RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://r3.o.lencr.org0RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://CvqG2KRIY7VhTa.oRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		low
                        http://CvqG2KRIY7VhTa.orgRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.464427936.000000000345D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://hcwBaC.comRegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202880593.0000000003391000.00000004.00000001.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe, 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmpfalse
                            		high
                            http://mail.priserveinfra.comRegSvcs.exe, 00000002.00000002.464306400.0000000003431000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.ipify.org%$RegSvcs.exe, 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://cps.root-x1.letsencrypt.org0RegSvcs.exe, 00000002.00000002.462434107.00000000016D5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://priserveinfra.comRegSvcs.exe, 00000002.00000002.464306400.0000000003431000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            50.31.160.189
                            		priserveinfra.comUnited States
                            		23352SERVERCENTRALUStrue

                            General Information

                            Joe Sandbox Version:32.0.0 Black Diamond
                            Analysis ID:433227
                            Start date:11.06.2021
                            Start time:13:54:21
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 8m 52s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:SecuriteInfo.com.Variant.MSILHeracles.17940.23513.15553 (renamed file extension from 15553 to exe)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:28
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 0.8% (good quality ratio 0.5%)
                            • Quality average: 48.6%
                            • Quality standard deviation: 46%
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 104.43.193.48, 20.82.210.154, 104.76.200.56, 20.54.26.129, 20.50.102.62, 92.122.213.247, 92.122.213.194
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            13:55:07API Interceptor1x Sleep call for process: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe modified
                            13:55:16API Interceptor766x Sleep call for process: RegSvcs.exe modified
                            13:55:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                            13:55:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            50.31.160.189SecuriteInfo.com.Exploit.Siggen2.12917.8592.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            SecuriteInfo.com.Exploit.Siggen2.12943.15385.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            Doc-20200731-7729500.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            doc_440.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            MES 2020_07_31 9325071.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            arc GNV011047.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            ARC_4895987.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            Rep-OVW91546.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            REP_OKX598.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            FILE-2020_07_31-LY51195.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            REP-2020_07_31-HL73628.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/
                            Dat_20200731_ILT3900.docGet hashmaliciousBrowse
                            • jkncrew.com/cgi-bin/KhSO16ZAAf/

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            SERVERCENTRALUS619wGDCTZA.exeGet hashmaliciousBrowse
                            • 216.246.112.102
                            Swift Copy.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Swift Copy.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Swift Copy.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            PO #4500484210.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Quotation 2000051165.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            RYJzamn1HwAEPyy.exeGet hashmaliciousBrowse
                            • 50.31.160.189
                            Swift Copy.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Revised_Order PDF.exeGet hashmaliciousBrowse
                            • 198.38.93.60
                            tB15iC3ImLK3MFX.exeGet hashmaliciousBrowse
                            • 50.31.160.189
                            Bank Details.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Bank Details.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            tYIAJnu9nz5cOsZ.exeGet hashmaliciousBrowse
                            • 50.31.160.189
                            Bank Details.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            Bank Details.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            upnxIVxCnyXyWyW.exeGet hashmaliciousBrowse
                            • 50.31.160.189
                            1092991(JB#082).exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            1092991(JB#082).exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            uDEF0FNW0uvax8f.exeGet hashmaliciousBrowse
                            • 204.93.196.181
                            payment.exeGet hashmaliciousBrowse
                            • 204.93.196.181

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            C:\Users\user\AppData\Roaming\NXLun\NXLun.exeHT210525 IV Quotation.exeGet hashmaliciousBrowse
                              Bank_payment information.exeGet hashmaliciousBrowse
                                HT210525 IV Quotation.exeGet hashmaliciousBrowse
                                  Proforma Invoice No. 14214.exeGet hashmaliciousBrowse
                                    KCTC International Ltd.exeGet hashmaliciousBrowse
                                      NEW PO#70-02110-00739.exeGet hashmaliciousBrowse
                                        New quote.exeGet hashmaliciousBrowse
                                          Bank payment information.exeGet hashmaliciousBrowse
                                            MESCO TQZ24 QUOTE.exeGet hashmaliciousBrowse
                                              SWIFT Msg of USD 78,000.exeGet hashmaliciousBrowse
                                                OM PHOENIX TRADERS.exeGet hashmaliciousBrowse
                                                  ORDER #2348478.exeGet hashmaliciousBrowse
                                                    1029BA046DF67EE328AD9D21BFD1E6D31C5CEDC4D4EAD.exeGet hashmaliciousBrowse
                                                      Quotation 2000051165.exeGet hashmaliciousBrowse
                                                        IMG-20191224-WA0050.jpg.exeGet hashmaliciousBrowse
                                                          Note0093746573.exeGet hashmaliciousBrowse
                                                            RYJzamn1HwAEPyy.exeGet hashmaliciousBrowse
                                                              11.exeGet hashmaliciousBrowse
                                                                OM PHOENIX TRADERS.exeGet hashmaliciousBrowse
                                                                  NEW Quotation.exeGet hashmaliciousBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                    Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):142
                                                                    Entropy (8bit):5.090621108356562
                                                                    Encrypted:false
                                                                    SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                    MD5:8C0458BB9EA02D50565175E38D577E35
                                                                    SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                    SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                    SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe.log
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1314
                                                                    Entropy (8bit):5.350128552078965
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                    C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):45152
                                                                    Entropy (8bit):6.149629800481177
                                                                    Encrypted:false
                                                                    SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                    MD5:2867A3817C9245F7CF518524DFD18F28
                                                                    SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                    SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                    SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: HT210525 IV Quotation.exe, Detection: malicious, Browse
                                                                    • Filename: Bank_payment information.exe, Detection: malicious, Browse
                                                                    • Filename: HT210525 IV Quotation.exe, Detection: malicious, Browse
                                                                    • Filename: Proforma Invoice No. 14214.exe, Detection: malicious, Browse
                                                                    • Filename: KCTC International Ltd.exe, Detection: malicious, Browse
                                                                    • Filename: NEW PO#70-02110-00739.exe, Detection: malicious, Browse
                                                                    • Filename: New quote.exe, Detection: malicious, Browse
                                                                    • Filename: Bank payment information.exe, Detection: malicious, Browse
                                                                    • Filename: MESCO TQZ24 QUOTE.exe, Detection: malicious, Browse
                                                                    • Filename: SWIFT Msg of USD 78,000.exe, Detection: malicious, Browse
                                                                    • Filename: OM PHOENIX TRADERS.exe, Detection: malicious, Browse
                                                                    • Filename: ORDER #2348478.exe, Detection: malicious, Browse
                                                                    • Filename: 1029BA046DF67EE328AD9D21BFD1E6D31C5CEDC4D4EAD.exe, Detection: malicious, Browse
                                                                    • Filename: Quotation 2000051165.exe, Detection: malicious, Browse
                                                                    • Filename: IMG-20191224-WA0050.jpg.exe, Detection: malicious, Browse
                                                                    • Filename: Note0093746573.exe, Detection: malicious, Browse
                                                                    • Filename: RYJzamn1HwAEPyy.exe, Detection: malicious, Browse
                                                                    • Filename: 11.exe, Detection: malicious, Browse
                                                                    • Filename: OM PHOENIX TRADERS.exe, Detection: malicious, Browse
                                                                    • Filename: NEW Quotation.exe, Detection: malicious, Browse
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                    C:\Windows\System32\drivers\etc\hosts
                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):11
                                                                    Entropy (8bit):2.663532754804255
                                                                    Encrypted:false
                                                                    SSDEEP:3:iLE:iLE
                                                                    MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                    SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                    SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                    SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                    Malicious:true
                                                                    Preview: ..127.0.0.1
                                                                    \Device\ConDrv
                                                                    Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1141
                                                                    Entropy (8bit):4.44831826838854
                                                                    Encrypted:false
                                                                    SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                    MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                    SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                    SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                    SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                    Malicious:false
                                                                    Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.493580728299334
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                    File name:SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                                                                    File size:930816
                                                                    MD5:95201005885c91db292adaae627a5d57
                                                                    SHA1:d172e70ecb7f3206bcd34d7d5b51be54d9bdc350
                                                                    SHA256:73f2e9b534cff49f248d0d3469902ac7c3150da888786e5cde16a935ce4ce0c2
                                                                    SHA512:b571adb6cd73909e7d93311401dd8c96168cae2fba009e063786b7bc87a56e0d1d361ac0b76f2531458c315e354b981b8725fd67f9b33ed5b98fa7cb6a368ca7
                                                                    SSDEEP:12288:4IiPCg6zYjxAYcfPxu87cSumg7G+pPM0rgpmDKuedZM4e/ZUdtb:4NPC1zSeHXh7cH66PmwDxedNeBUdt
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................>.... ........@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:8c8caa8e9692aa00

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4ba63e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x60C2AE0F [Fri Jun 11 00:27:59 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba5f00x4b.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x2a388.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xba5aa0x1c.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xb86440xb8800False0.892889090024data7.85141834625IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .sdata0xbc0000x1e80x200False0.861328125data6.62043448152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xbe0000x2a3880x2a400False0.124312361317data4.17146470655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xea0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0xbe2b00x2326PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                    RT_ICON0xc05d80x10828dBase III DBT, version number 0, next free block index 40
                                                                    RT_ICON0xd0e000x94a8data
                                                                    RT_ICON0xda2a80x5488data
                                                                    RT_ICON0xdf7300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                    RT_ICON0xe39580x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                    RT_ICON0xe5f000x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                    RT_ICON0xe6fa80x988data
                                                                    RT_ICON0xe79300x468GLS_BINARY_LSB_FIRST
                                                                    RT_GROUP_ICON0xe7d980x84data
                                                                    RT_VERSION0xe7e1c0x380data
                                                                    RT_MANIFEST0xe819c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightPaul Harris 2016
                                                                    Assembly Version251.2.0.0
                                                                    InternalNameEncodingInfo.exe
                                                                    FileVersion251.2.0.0
                                                                    CompanyNamePaul Harris
                                                                    LegalTrademarks
                                                                    Comments1992 Alpine A 610
                                                                    ProductNameReloadManager
                                                                    ProductVersion251.2.0.0
                                                                    FileDescriptionReloadManager
                                                                    OriginalFilenameEncodingInfo.exe

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 11, 2021 13:56:41.069885969 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:41.213582993 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:41.213800907 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:41.598962069 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:41.599651098 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:41.743532896 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:41.744143963 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:41.909204960 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:41.957829952 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.145090103 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.202445030 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.202506065 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.202536106 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.202701092 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.214478016 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.358225107 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.359455109 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.410959005 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.426899910 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.573067904 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.576642036 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.723206997 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.724687099 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:42.884005070 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:42.885524035 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.029640913 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.030524969 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.183080912 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.183788061 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.329449892 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.335206985 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.335562944 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.335767031 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.335947037 CEST49739587192.168.2.350.31.160.189
                                                                    Jun 11, 2021 13:56:43.482861042 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.482903004 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.482927084 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.483850002 CEST5874973950.31.160.189192.168.2.3
                                                                    Jun 11, 2021 13:56:43.536024094 CEST49739587192.168.2.350.31.160.189

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 11, 2021 13:55:02.996490955 CEST6015253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:03.049737930 CEST53601528.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:04.526015997 CEST5754453192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:04.576266050 CEST53575448.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:05.331646919 CEST5598453192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:05.384490013 CEST53559848.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:06.462455988 CEST6418553192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:06.512868881 CEST53641858.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:07.763880968 CEST6511053192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:07.816826105 CEST53651108.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:08.595263004 CEST5836153192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:08.646934032 CEST53583618.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:10.516655922 CEST6349253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:10.580557108 CEST53634928.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:11.311841011 CEST6083153192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:11.364803076 CEST53608318.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:12.112380981 CEST6010053192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:12.165740967 CEST53601008.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:13.020163059 CEST5319553192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:13.072607994 CEST53531958.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:13.947890997 CEST5014153192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:13.998404980 CEST53501418.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:14.739490986 CEST5302353192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:14.789906979 CEST53530238.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:15.661520004 CEST4956353192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:15.712136984 CEST53495638.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:16.598730087 CEST5135253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:16.649163008 CEST53513528.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:17.494551897 CEST5934953192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:17.545011044 CEST53593498.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:18.587670088 CEST5708453192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:18.648411036 CEST53570848.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:19.456626892 CEST5882353192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:19.515012980 CEST53588238.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:20.462637901 CEST5756853192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:20.513097048 CEST53575688.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:34.157301903 CEST5054053192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:34.233827114 CEST53505408.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:38.511918068 CEST5436653192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:38.589154959 CEST53543668.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:55:56.298839092 CEST5303453192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:55:56.368366003 CEST53530348.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:11.782270908 CEST5776253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:11.852824926 CEST53577628.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:16.601514101 CEST5543553192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:16.661097050 CEST53554358.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:40.678406954 CEST5071353192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:40.850236893 CEST53507138.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:40.860426903 CEST5613253192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:41.040086985 CEST53561328.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:47.128261089 CEST5898753192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:47.205463886 CEST53589878.8.8.8192.168.2.3
                                                                    Jun 11, 2021 13:56:48.744347095 CEST5657953192.168.2.38.8.8.8
                                                                    Jun 11, 2021 13:56:48.803177118 CEST53565798.8.8.8192.168.2.3

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Jun 11, 2021 13:56:40.678406954 CEST192.168.2.38.8.8.80xce81Standard query (0)mail.priserveinfra.comA (IP address)IN (0x0001)
                                                                    Jun 11, 2021 13:56:40.860426903 CEST192.168.2.38.8.8.80x8b1eStandard query (0)mail.priserveinfra.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Jun 11, 2021 13:56:40.850236893 CEST8.8.8.8192.168.2.30xce81No error (0)mail.priserveinfra.compriserveinfra.comCNAME (Canonical name)IN (0x0001)
                                                                    Jun 11, 2021 13:56:40.850236893 CEST8.8.8.8192.168.2.30xce81No error (0)priserveinfra.com50.31.160.189A (IP address)IN (0x0001)
                                                                    Jun 11, 2021 13:56:41.040086985 CEST8.8.8.8192.168.2.30x8b1eNo error (0)mail.priserveinfra.compriserveinfra.comCNAME (Canonical name)IN (0x0001)
                                                                    Jun 11, 2021 13:56:41.040086985 CEST8.8.8.8192.168.2.30x8b1eNo error (0)priserveinfra.com50.31.160.189A (IP address)IN (0x0001)

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Jun 11, 2021 13:56:41.598962069 CEST5874973950.31.160.189192.168.2.3220-metro702.hostmetro.com ESMTP Exim 4.94.2 #2 Fri, 11 Jun 2021 06:56:41 -0500
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    Jun 11, 2021 13:56:41.599651098 CEST49739587192.168.2.350.31.160.189EHLO 936905
                                                                    Jun 11, 2021 13:56:41.743532896 CEST5874973950.31.160.189192.168.2.3250-metro702.hostmetro.com Hello 936905 [84.17.52.18]
                                                                    250-SIZE 52428800
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-PIPE_CONNECT
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-STARTTLS
                                                                    250 HELP
                                                                    Jun 11, 2021 13:56:41.744143963 CEST49739587192.168.2.350.31.160.189STARTTLS
                                                                    Jun 11, 2021 13:56:41.909204960 CEST5874973950.31.160.189192.168.2.3220 TLS go ahead

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe PID: 6136 Parent PID: 5820

                                                                    General

                                                                    Start time:13:55:06
                                                                    Start date:11/06/2021
                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Variant.MSILHeracles.17940.23513.exe'
                                                                    Imagebase:0xe40000
                                                                    File size:930816 bytes
                                                                    MD5 hash:95201005885C91DB292ADAAE627A5D57
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.203209096.0000000004399000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.202906740.00000000033C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Analysis Process: RegSvcs.exe PID: 5636 Parent PID: 6136

                                                                    General

                                                                    Start time:13:55:08
                                                                    Start date:11/06/2021
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                    Imagebase:0xf10000
                                                                    File size:45152 bytes
                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.201228524.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.460330476.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.462879077.0000000003171000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:high

                                                                    Analysis Process: NXLun.exe PID: 4712 Parent PID: 3388

                                                                    General

                                                                    Start time:13:55:36
                                                                    Start date:11/06/2021
                                                                    Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                    Imagebase:0x420000
                                                                    File size:45152 bytes
                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Antivirus matches:
                                                                    • Detection: 0%, Metadefender, Browse
                                                                    • Detection: 0%, ReversingLabs
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 4732 Parent PID: 4712

                                                                    General

                                                                    Start time:13:55:36
                                                                    Start date:11/06/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6b2800000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: NXLun.exe PID: 4128 Parent PID: 3388

                                                                    General

                                                                    Start time:13:55:44
                                                                    Start date:11/06/2021
                                                                    Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                    Imagebase:0x540000
                                                                    File size:45152 bytes
                                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 4140 Parent PID: 4128

                                                                    General

                                                                    Start time:13:55:44
                                                                    Start date:11/06/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6b2800000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >