Loading ...

Play interactive tourEdit tour

Windows Analysis Report DOCS.exe

Overview

General Information

Sample Name:DOCS.exe
Analysis ID:452541
MD5:8e2aa51f45393d980a4d9b20947976b6
SHA1:44742c0e7752ece4ed49c40d0f1b4e893c291005
SHA256:02e6972eec66f1f2b9898fa662d59c1f47856f180dad385d766399ecaf763f5b
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • DOCS.exe (PID: 4992 cmdline: 'C:\Users\user\Desktop\DOCS.exe' MD5: 8E2AA51F45393D980A4D9B20947976B6)
    • DOCS.exe (PID: 5928 cmdline: C:\Users\user\Desktop\DOCS.exe MD5: 8E2AA51F45393D980A4D9B20947976B6)
  • NXLun.exe (PID: 5372 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 8E2AA51F45393D980A4D9B20947976B6)
    • NXLun.exe (PID: 5388 cmdline: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe MD5: 8E2AA51F45393D980A4D9B20947976B6)
  • NXLun.exe (PID: 1660 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 8E2AA51F45393D980A4D9B20947976B6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000011.00000002.347157176.0000000003C1D000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.DOCS.exe.4045b60.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.DOCS.exe.4045b60.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.DOCS.exe.4085b80.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.DOCS.exe.4085b80.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.DOCS.exe.4045b60.6.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 23 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeReversingLabs: Detection: 52%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DOCS.exeVirustotal: Detection: 41%Perma Link
                      Source: DOCS.exeReversingLabs: Detection: 52%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: DOCS.exeJoe Sandbox ML: detected
                      Source: 4.2.DOCS.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.NXLun.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: DOCS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DOCS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: DOCS.exe, NXLun.exe, 00000011.00000002.337797812.0000000002901000.00000004.00000001.sdmp
                      Source: global trafficTCP traffic: 192.168.2.7:49738 -> 208.91.199.225:587
                      Source: global trafficTCP traffic: 192.168.2.7:49738 -> 208.91.199.225:587
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                      Source: DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: DOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://hFHvHh.com
                      Source: DOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                      Source: DOCS.exe, 00000004.00000002.506101125.0000000002EC6000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: DOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: DOCS.exe, 00000004.00000002.506391286.0000000002EED000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.506031808.0000000002EC0000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.505417799.0000000002E89000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.506468128.0000000002EF5000.00000004.00000001.sdmpString found in binary or memory: https://wiYfivfC8nSIDolSjnz.org
                      Source: DOCS.exe, 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, NXLun.exe, 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: NXLun.exe, 00000011.00000002.336441928.0000000000BF8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052D3F50
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C86F9
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C85440
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C85A88
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C83F68
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C85431
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C83F58
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F53023
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F507D0
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F56B68
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F51F88
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F572C0
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F59C50
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F5CFD8
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F8A208
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F856A0
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00FD47A0
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00FD4790
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00FD4772
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D2D688
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D26850
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D26FF8
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D26FE8
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 18_2_02E647A0
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 18_2_02E63E58
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 18_2_02E64772
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 18_2_02E64730
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 20_2_030C5431
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 20_2_030C5A88
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 20_2_030C3F58
                      Source: DOCS.exeBinary or memory string: OriginalFilename vs DOCS.exe
                      Source: DOCS.exe, 00000001.00000002.241023078.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymlink-Maker.exe< vs DOCS.exe
                      Source: DOCS.exe, 00000001.00000002.247879758.00000000052C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs DOCS.exe
                      Source: DOCS.exe, 00000001.00000002.243031996.0000000003E8C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWallpaperChanger.dllB vs DOCS.exe
                      Source: DOCS.exe, 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameufAxLJHDduVRtbIELqoQRnLFzE.exe4 vs DOCS.exe
                      Source: DOCS.exe, 00000004.00000002.496448083.00000000007B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymlink-Maker.exe< vs DOCS.exe
                      Source: DOCS.exe, 00000004.00000002.510065671.0000000005FB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DOCS.exe
                      Source: DOCS.exe, 00000004.00000002.496583189.0000000000B58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs DOCS.exe
                      Source: DOCS.exe, 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameufAxLJHDduVRtbIELqoQRnLFzE.exe4 vs DOCS.exe
                      Source: DOCS.exeBinary or memory string: OriginalFilenameSymlink-Maker.exe< vs DOCS.exe
                      Source: DOCS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DOCS.exe, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: DOCS.exe, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 1.0.DOCS.exe.890000.0.unpack, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 1.0.DOCS.exe.890000.0.unpack, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 1.2.DOCS.exe.890000.0.unpack, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: 1.2.DOCS.exe.890000.0.unpack, Regedit.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                      Source: NXLun.exe.4.dr, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: NXLun.exe.4.dr, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 4.0.DOCS.exe.6e0000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 4.0.DOCS.exe.6e0000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 17.0.NXLun.exe.3a0000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 17.0.NXLun.exe.3a0000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 17.2.NXLun.exe.3a0000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 17.2.NXLun.exe.3a0000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 1.2.DOCS.exe.890000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 1.2.DOCS.exe.890000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 1.0.DOCS.exe.890000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 1.0.DOCS.exe.890000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 4.2.DOCS.exe.6e0000.1.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 4.2.DOCS.exe.6e0000.1.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: DOCS.exe, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: DOCS.exe, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 18.0.NXLun.exe.a30000.0.unpack, Regedit.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 18.0.NXLun.exe.a30000.0.unpack, Regedit.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                      Source: C:\Users\user\Desktop\DOCS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOCS.exe.logJump to behavior
                      Source: DOCS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DOCS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\DOCS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\DOCS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: DOCS.exeVirustotal: Detection: 41%
                      Source: DOCS.exeReversingLabs: Detection: 52%
                      Source: C:\Users\user\Desktop\DOCS.exeFile read: C:\Users\user\Desktop\DOCS.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DOCS.exe 'C:\Users\user\Desktop\DOCS.exe'
                      Source: C:\Users\user\Desktop\DOCS.exeProcess created: C:\Users\user\Desktop\DOCS.exe C:\Users\user\Desktop\DOCS.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\Desktop\DOCS.exeProcess created: C:\Users\user\Desktop\DOCS.exe C:\Users\user\Desktop\DOCS.exe
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                      Source: C:\Users\user\Desktop\DOCS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: DOCS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DOCS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: DOCS.exe, NXLun.exe, 00000011.00000002.337797812.0000000002901000.00000004.00000001.sdmp
                      Source: DOCS.exeStatic PE information: 0x91B5E3D7 [Thu Jun 20 04:11:03 2047 UTC]
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C513D pushfd ; retf
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C4D87 push ebx; iretd
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C936D push es; iretd
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_052C76F5 push ss; retf
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 1_2_02C8C032 push edx; retf
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D29092 push E0E8CE8Bh; ret
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D2E9C2 pushad ; ret
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D265E3 push 2400025Eh; retf
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeCode function: 17_2_04D2EE73 push ebp; retf
                      Source: C:\Users\user\Desktop\DOCS.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Users\user\Desktop\DOCS.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\DOCS.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\DOCS.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\DOCS.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\DOCS.exeWindow / User API: threadDelayed 1070
                      Source: C:\Users\user\Desktop\DOCS.exeWindow / User API: threadDelayed 8785
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWindow / User API: threadDelayed 9549
                      Source: C:\Users\user\Desktop\DOCS.exe TID: 1232Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\DOCS.exe TID: 5072Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\Desktop\DOCS.exe TID: 5712Thread sleep count: 1070 > 30
                      Source: C:\Users\user\Desktop\DOCS.exe TID: 5712Thread sleep count: 8785 > 30
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 4644Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 4840Thread sleep time: -19369081277395017s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 4520Thread sleep count: 296 > 30
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 4520Thread sleep count: 9549 > 30
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOCS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOCS.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\DOCS.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: NXLun.exeBinary or memory string: 3oEK0R7Nl5u1+kFZIzuylTq5IlSverUm3tJvbDoGCqNlts9V00GfVjTuJYdbQ18DniAOJNJ3hmmLJ7Lnt4nVuOFzn56MTpkwqqGN8dutXcbdfZ9RnrQemUuZykL0LGjQpW
                      Source: DOCS.exe, 00000004.00000002.510536562.00000000064B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\DOCS.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\DOCS.exeCode function: 4_2_00F5A3B0 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\DOCS.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\DOCS.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\DOCS.exeProcess created: C:\Users\user\Desktop\DOCS.exe C:\Users\user\Desktop\DOCS.exe
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                      Source: DOCS.exe, 00000004.00000002.501242387.0000000001570000.00000002.00000001.sdmp, NXLun.exe, 00000012.00000002.500083454.00000000018E0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: DOCS.exe, 00000004.00000002.501242387.0000000001570000.00000002.00000001.sdmp, NXLun.exe, 00000012.00000002.500083454.00000000018E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: DOCS.exe, 00000004.00000002.501242387.0000000001570000.00000002.00000001.sdmp, NXLun.exe, 00000012.00000002.500083454.00000000018E0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: DOCS.exe, 00000004.00000002.501242387.0000000001570000.00000002.00000001.sdmp, NXLun.exe, 00000012.00000002.500083454.00000000018E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Users\user\Desktop\DOCS.exe VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Users\user\Desktop\DOCS.exe VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.DOCS.exe.4045b60.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4085b80.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4045b60.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3cd5b80.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.DOCS.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3cd5b80.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c95b60.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NXLun.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4085b80.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4025b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c75b40.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c95b60.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.347157176.0000000003C1D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.244277836.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.DOCS.exe.4045b60.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4085b80.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4045b60.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3cd5b80.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.DOCS.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.2dc55d4.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3cd5b80.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c95b60.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NXLun.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4085b80.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4025b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c75b40.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c95b60.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.2dd4408.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.2a15758.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.2a2458c.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.347157176.0000000003C1D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.241626967.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.244277836.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.337797812.0000000002901000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOCS.exe PID: 5928, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOCS.exe PID: 4992, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NXLun.exe PID: 5388, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NXLun.exe PID: 5372, type: MEMORY
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\DOCS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\DOCS.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\DOCS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOCS.exe PID: 5928, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NXLun.exe PID: 5388, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.DOCS.exe.4045b60.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4085b80.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4045b60.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3cd5b80.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.DOCS.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3cd5b80.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c95b60.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NXLun.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4085b80.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4025b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c75b40.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c95b60.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.347157176.0000000003C1D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.244277836.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 1.2.DOCS.exe.4045b60.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4085b80.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4045b60.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3cd5b80.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.DOCS.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.2dc55d4.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3cd5b80.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c95b60.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.NXLun.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4085b80.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.4025b40.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c75b40.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.3c95b60.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCS.exe.2dd4408.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.2a15758.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.NXLun.exe.2a2458c.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.347157176.0000000003C1D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.241626967.0000000002CB1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.244277836.0000000003FCD000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.337797812.0000000002901000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOCS.exe PID: 5928, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOCS.exe PID: 4992, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NXLun.exe PID: 5388, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NXLun.exe PID: 5372, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection12File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Input Capture1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion131Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 452541 Sample: DOCS.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AgentTesla 2->41 43 Yara detected AgentTesla 2->43 45 Machine Learning detection for sample 2->45 6 DOCS.exe 3 2->6         started        10 NXLun.exe 3 2->10         started        12 NXLun.exe 2->12         started        process3 file4 21 C:\Users\user\AppData\Local\...\DOCS.exe.log, ASCII 6->21 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->49 14 DOCS.exe 2 5 6->14         started        51 Multi AV Scanner detection for dropped file 10->51 53 Machine Learning detection for dropped file 10->53 19 NXLun.exe 2 10->19         started        signatures5 process6 dnsIp7 29 us2.smtp.mailhostbox.com 208.91.199.225, 49738, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 23 C:\Users\user\AppData\Roaming\...23XLun.exe, PE32 14->23 dropped 25 C:\Users\user\...25XLun.exe:Zone.Identifier, ASCII 14->25 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file access) 14->33 35 Tries to harvest and steal ftp login credentials 14->35 37 3 other signatures 14->37 27 C:\Windows\System32\drivers\etc\hosts, ASCII 19->27 dropped file8 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DOCS.exe41%VirustotalBrowse
                      DOCS.exe52%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      DOCS.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe52%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.DOCS.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      18.2.NXLun.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://hFHvHh.com0%Avira URL Cloudsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://wiYfivfC8nSIDolSjnz.org0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      208.91.199.225
                      truefalse
                        high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#DOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://127.0.0.1:HTTP/1.1DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://ocsp.sectigo.com0ADOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://api.ipify.org%GETMozilla/5.0NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        low
                        http://DynDns.comDynDNSNXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://hFHvHh.comNXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://sectigo.com/CPS0DOCS.exe, 00000004.00000002.506216357.0000000002ED0000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://us2.smtp.mailhostbox.comDOCS.exe, 00000004.00000002.506101125.0000000002EC6000.00000004.00000001.sdmpfalse
                          high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haDOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://wiYfivfC8nSIDolSjnz.orgDOCS.exe, 00000004.00000002.506391286.0000000002EED000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.506031808.0000000002EC0000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.505417799.0000000002E89000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.506468128.0000000002EF5000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipDOCS.exe, 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, DOCS.exe, 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, NXLun.exe, 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://api.ipify.org%$DOCS.exe, 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          208.91.199.225
                          us2.smtp.mailhostbox.comUnited States
                          394695PUBLIC-DOMAIN-REGISTRYUSfalse

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:452541
                          Start date:22.07.2021
                          Start time:15:03:17
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 13m 32s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:DOCS.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:29
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 104.43.193.48, 23.211.6.115, 104.43.139.144, 13.64.90.137, 23.211.4.86, 20.82.209.183, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          15:04:29API Interceptor744x Sleep call for process: DOCS.exe modified
                          15:04:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          15:04:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          15:05:22API Interceptor391x Sleep call for process: NXLun.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOCS.exe.log
                          Process:C:\Users\user\Desktop\DOCS.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):886
                          Entropy (8bit):5.325593152230861
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhgLE4qE4j:MIHK5HKXE1qHxviYHKhQnogLHqHj
                          MD5:68C56F3AE303DE073F0E946D68CC9989
                          SHA1:800140D71D44A869334051D2FE455E68FFB8A492
                          SHA-256:55AC389B15756DE1C06EE870CF36F9A6A269C11651A4B0C98838D618C90DE773
                          SHA-512:04232F108F22B6A72AB17126D3A6955079DF62069685F7CEA4E4823AC8B808C07644F26D0BD1B460DAE36E3DE165D65A82EEA68F1330A0F274BB130799DE0300
                          Malicious:true
                          Reputation:unknown
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                          Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):886
                          Entropy (8bit):5.325593152230861
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhgLE4qE4j:MIHK5HKXE1qHxviYHKhQnogLHqHj
                          MD5:68C56F3AE303DE073F0E946D68CC9989
                          SHA1:800140D71D44A869334051D2FE455E68FFB8A492
                          SHA-256:55AC389B15756DE1C06EE870CF36F9A6A269C11651A4B0C98838D618C90DE773
                          SHA-512:04232F108F22B6A72AB17126D3A6955079DF62069685F7CEA4E4823AC8B808C07644F26D0BD1B460DAE36E3DE165D65A82EEA68F1330A0F274BB130799DE0300
                          Malicious:false
                          Reputation:unknown
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                          C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          Process:C:\Users\user\Desktop\DOCS.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):850432
                          Entropy (8bit):4.084228889752601
                          Encrypted:false
                          SSDEEP:12288:KWyWaA3xU+8SeWYL6dKsEP19309tXzWhMlDf1xqispXhS4bc1Paz+WJWskVCyjUp:KnfVrt9MTGZSC8keQ
                          MD5:8E2AA51F45393D980A4D9B20947976B6
                          SHA1:44742C0E7752ECE4ED49C40D0F1B4E893C291005
                          SHA-256:02E6972EEC66F1F2B9898FA662D59C1F47856F180DAD385D766399ECAF763F5B
                          SHA-512:2FE59FF635022207464B42F82331A78C0864FAE60A91C9348D98DAD386F853F0100D029FBFA49086FC46D95AF6E11108F004E1189E5B9EEAB6540049746B072C
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 52%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...................0.............^.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................@.......H......../..8...........d...p...........................................".('....*6.~....((...&*..*".(p....*.(q........*".(.....*&.(p.....*".......*".(.....*Vs....(....t.........*...0............}......}.....(.......(.......}......}.....{.....o.......o.....+_..(.......(....-.r...p+.r...p..(....-..(....+..(......s........o.....o....&.{....o......o ...&...(!...-...........o".....*......@.l........0.............{....o.....+v..(........(......{.....(#......(...........,"...}....r.
                          C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\DOCS.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:unknown
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Windows\System32\drivers\etc\hosts
                          Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):11
                          Entropy (8bit):2.663532754804255
                          Encrypted:false
                          SSDEEP:3:iLE:iLE
                          MD5:B24D295C1F84ECBFB566103374FB91C5
                          SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                          SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                          SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                          Malicious:true
                          Reputation:unknown
                          Preview: ..127.0.0.1

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):4.084228889752601
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:DOCS.exe
                          File size:850432
                          MD5:8e2aa51f45393d980a4d9b20947976b6
                          SHA1:44742c0e7752ece4ed49c40d0f1b4e893c291005
                          SHA256:02e6972eec66f1f2b9898fa662d59c1f47856f180dad385d766399ecaf763f5b
                          SHA512:2fe59ff635022207464b42f82331a78c0864fae60a91c9348d98dad386f853f0100d029fbfa49086fc46d95af6e11108f004e1189e5b9eeab6540049746b072c
                          SSDEEP:12288:KWyWaA3xU+8SeWYL6dKsEP19309tXzWhMlDf1xqispXhS4bc1Paz+WJWskVCyjUp:KnfVrt9MTGZSC8keQ
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............^.... ... ....@.. .......................`............@................................

                          File Icon

                          Icon Hash:00828e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x4d045e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x91B5E3D7 [Thu Jun 20 04:11:03 2047 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd040c0x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000xfe5.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xce4640xce600False0.48092775212data4.06947033744IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0xd20000xfe50x1000False0.396484375data4.99628295556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xd40000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0xd20a00x33cdata
                          RT_MANIFEST0xd23dc0xc09XML 1.0 document, UTF-8 Unicode (with BOM) text

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyrightCopyright 2019
                          Assembly Version1.0.0.0
                          InternalNameSymlink-Maker.exe
                          FileVersion1.0.0.0
                          CompanyName
                          LegalTrademarks
                          Comments
                          ProductNameSymlink-Maker
                          ProductVersion1.0.0.0
                          FileDescriptionSymlink-Maker
                          OriginalFilenameSymlink-Maker.exe

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 22, 2021 15:05:59.534951925 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:05:59.698244095 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:05:59.698402882 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:00.284007072 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.285490990 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:00.449172974 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.449270010 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.449773073 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:00.614298105 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.662841082 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:00.703207016 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:00.866774082 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.866801023 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.866821051 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.866836071 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.866852999 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:00.867183924 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:00.867213964 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:01.030495882 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:01.035595894 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:01.207036018 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:01.256036997 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:01.507761955 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:01.674191952 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:01.678570986 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:01.843699932 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:01.844660997 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:02.010176897 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:02.011212111 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:02.176107883 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:02.176580906 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:02.360199928 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:02.361067057 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:02.524844885 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:02.526426077 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:02.526604891 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:02.527448893 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:02.527561903 CEST49738587192.168.2.7208.91.199.225
                          Jul 22, 2021 15:06:02.689796925 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:02.690669060 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:02.789310932 CEST58749738208.91.199.225192.168.2.7
                          Jul 22, 2021 15:06:02.834201097 CEST49738587192.168.2.7208.91.199.225

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 22, 2021 15:03:59.972803116 CEST5084853192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:00.025115013 CEST53508488.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:01.794532061 CEST6124253192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:01.852119923 CEST53612428.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:12.693896055 CEST5856253192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:12.746890068 CEST53585628.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:13.709847927 CEST5659053192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:13.767812967 CEST53565908.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:15.124782085 CEST6050153192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:15.174043894 CEST53605018.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:16.156122923 CEST5377553192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:16.208539963 CEST53537758.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:17.777354002 CEST5183753192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:17.827471972 CEST53518378.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:19.340184927 CEST5541153192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:19.389429092 CEST53554118.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:21.554909945 CEST6366853192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:21.604010105 CEST53636688.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:24.487034082 CEST5464053192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:24.547174931 CEST53546408.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:26.189495087 CEST5873953192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:26.250736952 CEST53587398.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:26.372477055 CEST6033853192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:26.432322979 CEST53603388.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:28.536798000 CEST5871753192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:28.595110893 CEST53587178.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:29.805582047 CEST5976253192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:29.855804920 CEST53597628.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:30.771035910 CEST5432953192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:30.821212053 CEST53543298.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:31.735332966 CEST5805253192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:31.793848991 CEST53580528.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:32.777951956 CEST5400853192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:32.832200050 CEST53540088.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:33.991823912 CEST5945153192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:34.051959991 CEST53594518.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:35.164995909 CEST5291453192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:35.218954086 CEST53529148.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:35.814225912 CEST6456953192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:35.887300968 CEST53645698.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:36.433042049 CEST5281653192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:36.485438108 CEST53528168.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:37.572786093 CEST5078153192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:37.626529932 CEST53507818.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:38.823156118 CEST5423053192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:38.883908987 CEST53542308.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:40.408902884 CEST5491153192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:40.461357117 CEST53549118.8.8.8192.168.2.7
                          Jul 22, 2021 15:04:54.605417967 CEST4995853192.168.2.78.8.8.8
                          Jul 22, 2021 15:04:54.663815975 CEST53499588.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:02.136678934 CEST5086053192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:02.196635008 CEST53508608.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:03.112910032 CEST5045253192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:03.171888113 CEST53504528.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:03.914273977 CEST5973053192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:03.963807106 CEST53597308.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:03.973289013 CEST5931053192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:04.635366917 CEST5191953192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:04.693084955 CEST53519198.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:05.018073082 CEST5931053192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:05.111243010 CEST53593108.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:05.619879007 CEST6429653192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:05.680975914 CEST53642968.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:06.423779011 CEST5668053192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:06.481934071 CEST53566808.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:07.466336966 CEST5882053192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:07.515759945 CEST53588208.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:08.371182919 CEST6098353192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:08.421664000 CEST53609838.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:09.418557882 CEST4924753192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:09.467994928 CEST53492478.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:10.045176029 CEST5228653192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:10.104963064 CEST53522868.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:13.586437941 CEST5606453192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:13.647413015 CEST53560648.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:44.636132002 CEST6374453192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:44.713265896 CEST53637448.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:46.613745928 CEST6145753192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:46.673582077 CEST53614578.8.8.8192.168.2.7
                          Jul 22, 2021 15:05:59.297796965 CEST5836753192.168.2.78.8.8.8
                          Jul 22, 2021 15:05:59.370481014 CEST53583678.8.8.8192.168.2.7

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Jul 22, 2021 15:05:59.297796965 CEST192.168.2.78.8.8.80x2d4dStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Jul 22, 2021 15:05:59.370481014 CEST8.8.8.8192.168.2.70x2d4dNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                          Jul 22, 2021 15:05:59.370481014 CEST8.8.8.8192.168.2.70x2d4dNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                          Jul 22, 2021 15:05:59.370481014 CEST8.8.8.8192.168.2.70x2d4dNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                          Jul 22, 2021 15:05:59.370481014 CEST8.8.8.8192.168.2.70x2d4dNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)

                          SMTP Packets

                          TimestampSource PortDest PortSource IPDest IPCommands
                          Jul 22, 2021 15:06:00.284007072 CEST58749738208.91.199.225192.168.2.7220 us2.outbound.mailhostbox.com ESMTP Postfix
                          Jul 22, 2021 15:06:00.285490990 CEST49738587192.168.2.7208.91.199.225EHLO 899552
                          Jul 22, 2021 15:06:00.449270010 CEST58749738208.91.199.225192.168.2.7250-us2.outbound.mailhostbox.com
                          250-PIPELINING
                          250-SIZE 41648128
                          250-VRFY
                          250-ETRN
                          250-STARTTLS
                          250-AUTH PLAIN LOGIN
                          250-AUTH=PLAIN LOGIN
                          250-ENHANCEDSTATUSCODES
                          250-8BITMIME
                          250 DSN
                          Jul 22, 2021 15:06:00.449773073 CEST49738587192.168.2.7208.91.199.225STARTTLS
                          Jul 22, 2021 15:06:00.614298105 CEST58749738208.91.199.225192.168.2.7220 2.0.0 Ready to start TLS

                          Code Manipulations

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Start time:15:04:07
                          Start date:22/07/2021
                          Path:C:\Users\user\Desktop\DOCS.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\DOCS.exe'
                          Imagebase:0x890000
                          File size:850432 bytes
                          MD5 hash:8E2AA51F45393D980A4D9B20947976B6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.244914282.0000000004085000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.241626967.0000000002CB1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.244277836.0000000003FCD000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.244277836.0000000003FCD000.00000004.00000001.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Start time:15:04:12
                          Start date:22/07/2021
                          Path:C:\Users\user\Desktop\DOCS.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\DOCS.exe
                          Imagebase:0x6e0000
                          File size:850432 bytes
                          MD5 hash:8E2AA51F45393D980A4D9B20947976B6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.502145216.0000000002B61000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.495044836.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Start time:15:04:50
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                          Imagebase:0x3a0000
                          File size:850432 bytes
                          MD5 hash:8E2AA51F45393D980A4D9B20947976B6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000011.00000002.347326587.0000000003CD5000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.347157176.0000000003C1D000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000011.00000002.347157176.0000000003C1D000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.337797812.0000000002901000.00000004.00000001.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 52%, ReversingLabs
                          Reputation:low

                          General

                          Start time:15:04:56
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          Imagebase:0xa30000
                          File size:850432 bytes
                          MD5 hash:8E2AA51F45393D980A4D9B20947976B6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000002.495132037.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.500663594.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Start time:15:04:58
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                          Imagebase:0xbb0000
                          File size:850432 bytes
                          MD5 hash:8E2AA51F45393D980A4D9B20947976B6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:low

                          Disassembly

                          Code Analysis

                          Reset < >