Loading ...

Play interactive tourEdit tour

Windows Analysis Report Sipari#U015f formu.exe

Overview

General Information

Sample Name:Sipari#U015f formu.exe
Analysis ID:528524
MD5:032bbfd4181a7cee029849db610a318b
SHA1:c99434f7f007f6f0f1317839cc7129db813d0750
SHA256:9ae8f73164a7e8159a942f5c304cb55560f975ca943f00c2ef4f6dd489ce0656
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Sipari#U015f formu.exe (PID: 5356 cmdline: "C:\Users\user\Desktop\Sipari#U015f formu.exe" MD5: 032BBFD4181A7CEE029849DB610A318B)
    • Sipari#U015f formu.exe (PID: 5956 cmdline: C:\Users\user\Desktop\Sipari#U015f formu.exe MD5: 032BBFD4181A7CEE029849DB610A318B)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "-640017301", "Chat URL": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Sipari#U015f formu.exe.2d971c8.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              3.0.Sipari#U015f formu.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.0.Sipari#U015f formu.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  3.2.Sipari#U015f formu.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    3.2.Sipari#U015f formu.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "-640017301", "Chat URL": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocument"}
                      Source: Sipari#U015f formu.exe.5356.0.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendMessage"}
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3.0.Sipari#U015f formu.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: Sipari#U015f formu.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Sipari#U015f formu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: http://nQZIDO.com
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot2124462934:AAGr-L06waDdFGpnKJz3_DCOFcJpWDQ7WIM/sendDocumentdocument-----
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, Sipari#U015f formu.exe, 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Sipari#U015f formu.exe, 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Sipari#U015f formu.exeJump to behavior
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658187478.0000000001228000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b8A798CEDu002d3CCBu002d454Eu002d88B5u002dBAB811469A9Cu007d/u003103172F1u002dA66Fu002d4B76u002dA067u002d1A5E53DD2968.csLarge array initialization: .cctor: array initializer size 11987
                      Source: Sipari#U015f formu.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A85C240_2_00A85C24
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_02BC82500_2_02BC8250
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_02BCD2F80_2_02BCD2F8
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055FF5D00_2_055FF5D0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F5AB00_2_055F5AB0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F5AA00_2_055F5AA0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00595C243_2_00595C24
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF60783_2_00CF6078
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF53183_2_00CF5318
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF2E703_2_00CF2E70
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFD0603_2_00CFD060
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA9023_2_00CFA902
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00DC5D983_2_00DC5D98
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00DC13103_2_00DC1310
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EB49603_2_00EB4960
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EB49503_2_00EB4950
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00EBDF603_2_00EBDF60
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilename vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.660812533.0000000005DC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658187478.0000000001228000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000000.00000002.662053728.0000000006350000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilename vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWgOeZtowfaTIOlypmkhHrWzxdUx.exe4 vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917015212.0000000000798000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeBinary or memory string: OriginalFilenameHa.exe. vs Sipari#U015f formu.exe
                      Source: Sipari#U015f formu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile read: C:\Users\user\Desktop\Sipari#U015f formu.exe:Zone.IdentifierJump to behavior
                      Source: Sipari#U015f formu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe "C:\Users\user\Desktop\Sipari#U015f formu.exe"
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exe
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exeJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sipari#U015f formu.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/2@0/0
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addbook.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addbook.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addcustomer.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addbook.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addcustomer.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: views/addbook.baml
                      Source: Sipari#U015f formu.exeString found in binary or memory: /Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: A/Ha;component/views/addbook.xamlW/Ha;component/views/borrowfrombookview.xamlM/Ha;component/views/borrowingview.xamlG/Ha;component/views/changebook.xamlO/Ha;component/views/changecustomer.xamlK/Ha;component/views/customerview.xamlO/Ha;component/views/deletecustomer.xamlE/Ha;component/views/errorview.xamlI/Ha;component/views/smallextras.xamlI/Ha;component/views/addcustomer.xaml
                      Source: Sipari#U015f formu.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Sipari#U015f formu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Sipari#U015f formu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Sipari#U015f formu.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Sipari#U015f formu.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Sipari#U015f formu.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.Sipari#U015f formu.exe.590000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.13.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.Sipari#U015f formu.exe.590000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A89361 push ds; retf 0_2_00A89364
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A892F5 push ds; ret 0_2_00A89340
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_00A89347 push ds; ret 0_2_00A8934C
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 0_2_055F56E0 push esp; iretd 0_2_055F56E9
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00599347 push ds; ret 3_2_0059934C
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_005992F5 push ds; ret 3_2_00599340
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00599361 push ds; retf 3_2_00599364
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA35B pushfd ; iretd 3_2_00CFA35E
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA359 pushfd ; iretd 3_2_00CFA35A
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA354 pushfd ; iretd 3_2_00CFA356
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFA360 pushfd ; iretd 3_2_00CFA362
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CF4778 push 00000041h; iretd 3_2_00CF477A
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.88235938246
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.2d971c8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.2e25574.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658539650.0000000002D31000.00000004.00000001.sdmp, Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3240Thread sleep count: 591 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3240Thread sleep count: 2085 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239728s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5404Thread sleep time: -30884s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239624s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239515s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239405s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239296s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239187s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -239077s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238968s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238827s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238606s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -238390s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -237343s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236750s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236390s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 3152Thread sleep time: -236249s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 1296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 7084Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5408Thread sleep count: 865 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exe TID: 5408Thread sleep count: 8996 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239843Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239728Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239624Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239515Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239405Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239296Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239187Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239077Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238968Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238827Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238718Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238606Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238390Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 237343Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236750Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236390Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236249Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 591Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 2085Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 865Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWindow / User API: threadDelayed 8996Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239843Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239728Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 30884Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239624Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239515Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239405Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239296Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239187Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 239077Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238968Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238827Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238718Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238606Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 238390Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 237343Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236750Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236390Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 236249Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Sipari#U015f formu.exe, 00000000.00000002.658683577.0000000002DF5000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeCode function: 3_2_00CFEDC8 LdrInitializeThunk,3_2_00CFEDC8
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeProcess created: C:\Users\user\Desktop\Sipari#U015f formu.exe C:\Users\user\Desktop\Sipari#U015f formu.exeJump to behavior
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Sipari#U015f formu.exe, 00000003.00000002.917663848.0000000001380000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Users\user\Desktop\Sipari#U015f formu.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Users\user\Desktop\Sipari#U015f formu.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\Sipari#U015f formu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.Sipari#U015f formu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.Sipari#U015f formu.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e63ea0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Sipari#U015f formu.exe.3e2de80.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000000.656174478.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.654836486.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.656667714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.916854824.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.655483675.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.659041461.0000000003D3D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.918210853.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5356, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Sipari#U015f formu.exe PID: 5956, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1Input Capture111Process Discovery2Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion131SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion131NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsSystem Information Discovery114SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.