Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report model 800 DD.exe

Overview

General Information

Sample Name:model 800 DD.exe
Analysis ID:458837
MD5:d7191bd9419ce60f57122e0a3b6d8449
SHA1:7b847b776a23dff9fa06429f7ab6bf05a27cf51c
SHA256:bb422900a755e4aa68626b1451545a2e36e1acf79d975ae6bda7da78313c3205
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • model 800 DD.exe (PID: 2848 cmdline: 'C:\Users\user\Desktop\model 800 DD.exe' MD5: D7191BD9419CE60F57122E0A3B6D8449)
    • model 800 DD.exe (PID: 5840 cmdline: C:\Users\user\Desktop\model 800 DD.exe MD5: D7191BD9419CE60F57122E0A3B6D8449)
    • model 800 DD.exe (PID: 4276 cmdline: C:\Users\user\Desktop\model 800 DD.exe MD5: D7191BD9419CE60F57122E0A3B6D8449)
    • model 800 DD.exe (PID: 4632 cmdline: C:\Users\user\Desktop\model 800 DD.exe MD5: D7191BD9419CE60F57122E0A3B6D8449)
  • rmKknnU.exe (PID: 5732 cmdline: 'C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe' MD5: D7191BD9419CE60F57122E0A3B6D8449)
    • rmKknnU.exe (PID: 4944 cmdline: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe MD5: D7191BD9419CE60F57122E0A3B6D8449)
  • rmKknnU.exe (PID: 5592 cmdline: 'C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe' MD5: D7191BD9419CE60F57122E0A3B6D8449)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "accounts@alexfoxfreight.com", "Password": "Ueos*93sj!#!12", "Host": "mail.alexfoxfreight.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.model 800 DD.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.model 800 DD.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                22.2.rmKknnU.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  22.2.rmKknnU.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 6.2.model 800 DD.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "accounts@alexfoxfreight.com", "Password": "Ueos*93sj!#!12", "Host": "mail.alexfoxfreight.com"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeVirustotal: Detection: 35%Perma Link
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeReversingLabs: Detection: 76%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: model 800 DD.exeVirustotal: Detection: 35%Perma Link
                    Source: model 800 DD.exeReversingLabs: Detection: 76%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: model 800 DD.exeJoe Sandbox ML: detected
                    Source: 6.2.model 800 DD.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 22.2.rmKknnU.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: model 800 DD.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: model 800 DD.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49738 -> 172.81.56.199:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49739 -> 172.81.56.199:587
                    Source: model 800 DD.exe, 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpString found in binary or memory: http://BYnWgg.com
                    Source: rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: model 800 DD.exe, 00000006.00000002.501035203.0000000002CAC000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: model 800 DD.exe, 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, rmKknnU.exe, 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: model 800 DD.exe, 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: C:\Users\user\Desktop\model 800 DD.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: 6.2.model 800 DD.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22DD7206u002dF3D4u002d4291u002d86BBu002d4D02D5CEE8A3u007d/C5FE9DF1u002dDE0Bu002d4117u002d9865u002dE2D99C7738EE.csLarge array initialization: .cctor: array initializer size 12063
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 3_2_0031BA7C
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 3_2_0031B62C
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 3_2_00319808
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 4_2_003DBA7C
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 4_2_003DB62C
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 4_2_003D9808
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_0076BA7C
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_0076B62C
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_00D124A0
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_011047A0
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_011046D0
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_0110D5EB
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_05F76510
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_05F77128
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_05F790F0
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_05F76858
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_062C5690
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_062C8FE0
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_062C89A9
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_00769808
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeCode function: 22_2_00AFB62C
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeCode function: 22_2_00AFBA7C
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeCode function: 22_2_02ED47A0
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeCode function: 22_2_02ED46D0
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeCode function: 22_2_02ED46B0
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeCode function: 22_2_02EDD5E1
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeCode function: 22_2_00AF9808
                    Source: model 800 DD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: model 800 DD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: model 800 DD.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: rmKknnU.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: rmKknnU.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: rmKknnU.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: model 800 DD.exe, 00000001.00000000.226326900.0000000000D32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
                    Source: model 800 DD.exeBinary or memory string: OriginalFilename vs model 800 DD.exe
                    Source: model 800 DD.exe, 00000003.00000000.269543360.0000000000312000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
                    Source: model 800 DD.exeBinary or memory string: OriginalFilename vs model 800 DD.exe
                    Source: model 800 DD.exe, 00000004.00000000.271691612.00000000003D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
                    Source: model 800 DD.exeBinary or memory string: OriginalFilename vs model 800 DD.exe
                    Source: model 800 DD.exe, 00000006.00000000.273264577.0000000000762000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
                    Source: model 800 DD.exe, 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWpPJaFVmXtHjOcxkbOqsNEqrCsGpa.exe( vs model 800 DD.exe
                    Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs model 800 DD.exe
                    Source: model 800 DD.exeBinary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
                    Source: model 800 DD.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: model 800 DD.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: rmKknnU.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 6.2.model 800 DD.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 6.2.model 800 DD.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@0/0
                    Source: C:\Users\user\Desktop\model 800 DD.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\model 800 DD.exe.logJump to behavior
                    Source: model 800 DD.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\model 800 DD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\model 800 DD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\model 800 DD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\model 800 DD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: model 800 DD.exeVirustotal: Detection: 35%
                    Source: model 800 DD.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\model 800 DD.exeFile read: C:\Users\user\Desktop\model 800 DD.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\model 800 DD.exe 'C:\Users\user\Desktop\model 800 DD.exe'
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe 'C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe 'C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe'
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    Source: C:\Users\user\Desktop\model 800 DD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\model 800 DD.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: model 800 DD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: model 800 DD.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: model 800 DD.exeStatic file information: File size 1348608 > 1048576
                    Source: model 800 DD.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13b800
                    Source: model 800 DD.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.57001311304
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.57001311304
                    Source: C:\Users\user\Desktop\model 800 DD.exeFile created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeJump to dropped file
                    Source: C:\Users\user\Desktop\model 800 DD.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rmKknnUJump to behavior
                    Source: C:\Users\user\Desktop\model 800 DD.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rmKknnUJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\model 800 DD.exeFile opened: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\model 800 DD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\model 800 DD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\model 800 DD.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\model 800 DD.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\model 800 DD.exeWindow / User API: threadDelayed 880
                    Source: C:\Users\user\Desktop\model 800 DD.exeWindow / User API: threadDelayed 8974
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeWindow / User API: threadDelayed 9632
                    Source: C:\Users\user\Desktop\model 800 DD.exe TID: 4940Thread sleep time: -40336s >= -30000s
                    Source: C:\Users\user\Desktop\model 800 DD.exe TID: 4492Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\model 800 DD.exe TID: 5980Thread sleep time: -13835058055282155s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 5752Thread sleep time: -44073s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 4840Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 4960Thread sleep time: -13835058055282155s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 1844Thread sleep count: 226 > 30
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 1844Thread sleep count: 9632 > 30
                    Source: C:\Users\user\Desktop\model 800 DD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\model 800 DD.exeThread delayed: delay time: 40336
                    Source: C:\Users\user\Desktop\model 800 DD.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\model 800 DD.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeThread delayed: delay time: 44073
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeThread delayed: delay time: 922337203685477
                    Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.504865385.00000000061F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.504865385.00000000061F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.504865385.00000000061F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.504865385.00000000061F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\model 800 DD.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\model 800 DD.exeMemory written: C:\Users\user\Desktop\model 800 DD.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: C:\Users\user\Desktop\model 800 DD.exeProcess created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeProcess created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                    Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                    Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Users\user\Desktop\model 800 DD.exe VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Users\user\Desktop\model 800 DD.exe VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\model 800 DD.exeCode function: 6_2_05F754E4 GetUserNameW,
                    Source: C:\Users\user\Desktop\model 800 DD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 6.2.model 800 DD.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.rmKknnU.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 6.2.model 800 DD.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.rmKknnU.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: model 800 DD.exe PID: 4632, type: MEMORYSTR
                    Source: Yara matchFile source: 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: model 800 DD.exe PID: 4632, type: MEMORYSTR

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 6.2.model 800 DD.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.rmKknnU.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 6.2.model 800 DD.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.rmKknnU.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: model 800 DD.exe PID: 4632, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 458837 Sample: model 800 DD.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 6 other signatures 2->36 6 model 800 DD.exe 3 2->6         started        10 rmKknnU.exe 3 2->10         started        12 rmKknnU.exe 2 2->12         started        process3 file4 24 C:\Users\user\...\model 800 DD.exe.log, ASCII 6->24 dropped 38 Injects a PE file into a foreign processes 6->38 14 model 800 DD.exe 2 5 6->14         started        18 model 800 DD.exe 6->18         started        20 model 800 DD.exe 6->20         started        40 Multi AV Scanner detection for dropped file 10->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->42 44 Machine Learning detection for dropped file 10->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->46 22 rmKknnU.exe 2 10->22         started        signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\...\rmKknnU.exe, PE32 14->26 dropped 28 C:\Users\user\...\rmKknnU.exe:Zone.Identifier, ASCII 14->28 dropped 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->48 signatures8

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    model 800 DD.exe36%VirustotalBrowse
                    model 800 DD.exe77%ReversingLabsByteCode-MSIL.Trojan.AgenteslaPacker
                    model 800 DD.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe36%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe77%ReversingLabsByteCode-MSIL.Trojan.AgenteslaPacker

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    6.2.model 800 DD.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    22.2.rmKknnU.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://BYnWgg.com0%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1model 800 DD.exe, 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://api.ipify.org%GETMozilla/5.0rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		low
                    http://BYnWgg.comrmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://DynDns.comDynDNSrmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hamodel 800 DD.exe, 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://api.ipify.org%model 800 DD.exe, 00000006.00000002.501035203.0000000002CAC000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		low
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipmodel 800 DD.exe, 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, rmKknnU.exe, 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:33.0.0 White Diamond
                    Analysis ID:458837
                    Start date:03.08.2021
                    Start time:19:35:42
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 12m 10s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:model 800 DD.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:27
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@11/4@0/0
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 0.1% (good quality ratio 0%)
                    • Quality average: 23%
                    • Quality standard deviation: 32.5%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    19:36:52API Interceptor616x Sleep call for process: model 800 DD.exe modified
                    19:37:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run rmKknnU C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    19:37:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run rmKknnU C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    19:37:56API Interceptor215x Sleep call for process: rmKknnU.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\model 800 DD.exe.log
                    Process:C:\Users\user\Desktop\model 800 DD.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.355304211458859
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rmKknnU.exe.log
                    Process:C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.355304211458859
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                    C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    Process:C:\Users\user\Desktop\model 800 DD.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):1348608
                    Entropy (8bit):7.538212963459183
                    Encrypted:false
                    SSDEEP:24576:xKjE76DODfx8Dgyfx8DgJTs5SjywMd6s38Yx8FwDZyfL:EE76+58Dgy58DgJI5SjyEsMYFZ6
                    MD5:D7191BD9419CE60F57122E0A3B6D8449
                    SHA1:7B847B776A23DFF9FA06429F7AB6BF05A27CF51C
                    SHA-256:BB422900A755E4AA68626B1451545A2E36E1ACF79D975AE6BDA7DA78313C3205
                    SHA-512:92F48500661FCC1C54E949669A63E149B0AE57B7D8E7BFF5CAC5A92445E6D1FCCE7D16F319CF054DD376756EA317A53BCF7D79E8C9E679530919C4B0FAEF92B8
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Virustotal, Detection: 36%, Browse
                    • Antivirus: ReversingLabs, Detection: 77%
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^..a..............P.............>.... ........@.. ....................................@.....................................O.......@............................................................................ ............... ..H............text...D.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B................ .......H........0..........s.....................................................(....*&..(.....*.s.........s ........s!........s"........s#........*...0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0...........~....o'....+..*.0...........~....o(....+..*.0..<........~.....().....,!r...p.....(*...o+...s,............~.....+..*.0...........~.....+..*".......*.0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......
                    C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe:Zone.Identifier
                    Process:C:\Users\user\Desktop\model 800 DD.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:modified
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: [ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.538212963459183
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:model 800 DD.exe
                    File size:1348608
                    MD5:d7191bd9419ce60f57122e0a3b6d8449
                    SHA1:7b847b776a23dff9fa06429f7ab6bf05a27cf51c
                    SHA256:bb422900a755e4aa68626b1451545a2e36e1acf79d975ae6bda7da78313c3205
                    SHA512:92f48500661fcc1c54e949669a63e149b0ae57b7d8e7bff5cac5a92445e6d1fcce7d16f319cf054dd376756ea317a53bcf7d79e8c9e679530919c4b0faef92b8
                    SSDEEP:24576:xKjE76DODfx8Dgyfx8DgJTs5SjywMd6s38Yx8FwDZyfL:EE76+58Dgy58DgJI5SjyEsMYFZ6
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^..a..............P.............>.... ........@.. ....................................@................................

                    File Icon

                    Icon Hash:b07968fcd4ec7090

                    Static PE Info

                    General

                    Entrypoint:0x53d73e
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x6108075E [Mon Aug 2 14:55:26 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x13d6ec0x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x13e0000xd640.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x14c0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x13b7440x13b800False0.713922902635data7.57001311304IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rsrc0x13e0000xd6400xd800False0.708586516204data6.59878641909IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x14c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x13e2000x2e8data
                    RT_ICON0x13e4f80x128GLS_BINARY_LSB_FIRST
                    RT_ICON0x13e6300xea8data
                    RT_ICON0x13f4e80x8a8data
                    RT_ICON0x13fda00x568GLS_BINARY_LSB_FIRST
                    RT_ICON0x1403180x7228PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                    RT_ICON0x1475500x25a8data
                    RT_ICON0x149b080x10a8data
                    RT_ICON0x14abc00x468GLS_BINARY_LSB_FIRST
                    RT_GROUP_ICON0x14b0380x84data
                    RT_VERSION0x14b0cc0x374data
                    RT_MANIFEST0x14b4500x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyrightCopyright Casper College 2009
                    Assembly Version1.0.0.0
                    InternalNameStackBehavio.exe
                    FileVersion1.0.0.0
                    CompanyNameCasper College
                    LegalTrademarks
                    Comments
                    ProductNamepacman2008_01
                    ProductVersion1.0.0.0
                    FileDescriptionpacman2008_01
                    OriginalFilenameStackBehavio.exe

                    Network Behavior

                    No network behavior found

                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: model 800 DD.exe PID: 2848 Parent PID: 5664

                    General

                    Start time:19:36:33
                    Start date:03/08/2021
                    Path:C:\Users\user\Desktop\model 800 DD.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\Desktop\model 800 DD.exe'
                    Imagebase:0xd30000
                    File size:1348608 bytes
                    MD5 hash:D7191BD9419CE60F57122E0A3B6D8449
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:low

                    Analysis Process: model 800 DD.exe PID: 5840 Parent PID: 2848

                    General

                    Start time:19:36:53
                    Start date:03/08/2021
                    Path:C:\Users\user\Desktop\model 800 DD.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\Desktop\model 800 DD.exe
                    Imagebase:0x310000
                    File size:1348608 bytes
                    MD5 hash:D7191BD9419CE60F57122E0A3B6D8449
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Analysis Process: model 800 DD.exe PID: 4276 Parent PID: 2848

                    General

                    Start time:19:36:54
                    Start date:03/08/2021
                    Path:C:\Users\user\Desktop\model 800 DD.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\Desktop\model 800 DD.exe
                    Imagebase:0x3d0000
                    File size:1348608 bytes
                    MD5 hash:D7191BD9419CE60F57122E0A3B6D8449
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    Analysis Process: model 800 DD.exe PID: 4632 Parent PID: 2848

                    General

                    Start time:19:36:55
                    Start date:03/08/2021
                    Path:C:\Users\user\Desktop\model 800 DD.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\model 800 DD.exe
                    Imagebase:0x760000
                    File size:1348608 bytes
                    MD5 hash:D7191BD9419CE60F57122E0A3B6D8449
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                    Reputation:low

                    Analysis Process: rmKknnU.exe PID: 5732 Parent PID: 3472

                    General

                    Start time:19:37:27
                    Start date:03/08/2021
                    Path:C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe'
                    Imagebase:0x920000
                    File size:1348608 bytes
                    MD5 hash:D7191BD9419CE60F57122E0A3B6D8449
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 36%, Virustotal, Browse
                    • Detection: 77%, ReversingLabs
                    Reputation:low

                    Analysis Process: rmKknnU.exe PID: 5592 Parent PID: 3472

                    General

                    Start time:19:37:35
                    Start date:03/08/2021
                    Path:C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe'
                    Imagebase:0x6c0000
                    File size:1348608 bytes
                    MD5 hash:D7191BD9419CE60F57122E0A3B6D8449
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:low

                    Analysis Process: rmKknnU.exe PID: 4944 Parent PID: 5732

                    General

                    Start time:19:37:57
                    Start date:03/08/2021
                    Path:C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
                    Imagebase:0xaf0000
                    File size:1348608 bytes
                    MD5 hash:D7191BD9419CE60F57122E0A3B6D8449
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp, Author: Joe Security
                    Reputation:low

                    Disassembly

                    Code Analysis

                    Reset < >