Edit tour

Windows Analysis Report
Technical information zip.exe

Overview

General Information

Sample Name:	Technical information zip.exe
Analysis ID:	680483
MD5:	ca033c84f5a37105d613c6961b724e97
SHA1:	23f023abfef70de9ee2c909fbef985254b2abe26
SHA256:	bfcb8ee096a65d7ec9201b67df585a7e715aaaa0aa2dcfec2e6ff208b3559498
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Snort IDS alert for network traffic

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Technical information zip.exe (PID: 4828 cmdline: "C:\Users\user\Desktop\Technical information zip.exe" MD5: CA033C84F5A37105D613C6961B724E97)

Technical information zip.exe (PID: 6128 cmdline: C:\Users\user\Desktop\Technical information zip.exe MD5: CA033C84F5A37105D613C6961B724E97)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales@cabletraychina.com", "Password": "Jhdq2017#", "Host": "mail.cabletraychina.com"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Technical information zip.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x69c26:$a3: MailAccountConfiguration 0x9fe46:$a3: MailAccountConfiguration 0xd5e66:$a3: MailAccountConfiguration 0x69c3f:$a5: SmtpAccountConfiguration 0x9fe5f:$a5: SmtpAccountConfiguration 0xd5e7f:$a5: SmtpAccountConfiguration 0x69c06:$a8: set_BindingAccountConfiguration 0x9fe26:$a8: set_BindingAccountConfiguration 0xd5e46:$a8: set_BindingAccountConfiguration 0x68b66:$a11: get_securityProfile 0x9ed86:$a11: get_securityProfile 0xd4da6:$a11: get_securityProfile 0x68a07:$a12: get_useSeparateFolderTree 0x9ec27:$a12: get_useSeparateFolderTree 0xd4c47:$a12: get_useSeparateFolderTree 0x6a369:$a13: get_DnsResolver 0xa0589:$a13: get_DnsResolver 0xd65a9:$a13: get_DnsResolver 0x68e16:$a14: get_archivingScope 0x9f036:$a14: get_archivingScope 0xd5056:$a14: get_archivingScope
00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3108e:$a3: MailAccountConfiguration 0x310a7:$a5: SmtpAccountConfiguration 0x3106e:$a8: set_BindingAccountConfiguration 0x2ffce:$a11: get_securityProfile 0x2fe6f:$a12: get_useSeparateFolderTree 0x317d1:$a13: get_DnsResolver 0x3027e:$a14: get_archivingScope 0x300a6:$a15: get_providerName 0x327bc:$a17: get_priority 0x31d90:$a18: get_advancedParameters 0x311a8:$a19: get_disabledByRestriction 0x2fc45:$a20: get_LastAccessed 0x30318:$a21: get_avatarType 0x31ea7:$a22: get_signaturePresets 0x3094d:$a23: get_enableLog 0x30123:$a26: set_accountName 0x322f2:$a27: set_InternalServerPort 0x2f584:$a28: set_bindingConfigurationUID 0x31e6d:$a29: set_IdnAddress 0x32670:$a30: set_GuidMasterKey 0x3017e:$a31: set_username
00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2fa64:$s10: logins 0x2fadc0:$s11: credential 0x1dfe:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x292b:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1f1f:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Technical information zip.exe PID: 4828	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Technical information zip.exe PID: 4828	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Technical information zip.exe PID: 4828	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x35daf:$a3: MailAccountConfiguration 0x35dc8:$a5: SmtpAccountConfiguration 0x35d8f:$a8: set_BindingAccountConfiguration 0x34e7a:$a11: get_securityProfile 0x34d1e:$a12: get_useSeparateFolderTree 0x3644d:$a13: get_DnsResolver 0x35126:$a14: get_archivingScope 0x34f52:$a15: get_providerName 0x37319:$a17: get_priority 0x369dc:$a18: get_advancedParameters 0x35ec9:$a19: get_disabledByRestriction 0x34b26:$a20: get_LastAccessed 0x351c0:$a21: get_avatarType 0x36af3:$a22: get_signaturePresets 0x3579a:$a23: get_enableLog 0x34fcf:$a26: set_accountName 0x36f1d:$a27: set_InternalServerPort 0x348c7:$a28: set_bindingConfigurationUID 0x36ab9:$a29: set_IdnAddress 0x371d7:$a30: set_GuidMasterKey 0x3502a:$a31: set_username
Process Memory Space: Technical information zip.exe PID: 6128	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Technical information zip.exe PID: 6128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Technical information zip.exe PID: 6128	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x20b94:$s1: get_kbok 0x21414:$s2: get_CHoo 0x21faf:$s3: set_passwordIsSet 0x20a40:$s4: get_enableLog 0x1fea3:$g1: get_Clipboard 0x1feb1:$g2: get_Keyboard 0x1febe:$g3: get_Password 0x212ee:$g4: get_CtrlKeyDown 0x212fe:$g5: get_ShiftKeyDown 0x2130f:$g6: get_AltKeyDown 0x5f39:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x8164:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x6a66:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x8c90:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x605a:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x8285:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: Technical information zip.exe PID: 6128	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x21055:$a3: MailAccountConfiguration 0x2106e:$a5: SmtpAccountConfiguration 0x21035:$a8: set_BindingAccountConfiguration 0x20120:$a11: get_securityProfile 0x1ffc4:$a12: get_useSeparateFolderTree 0x216f3:$a13: get_DnsResolver 0x203cc:$a14: get_archivingScope 0x201f8:$a15: get_providerName 0x225bf:$a17: get_priority 0x21c82:$a18: get_advancedParameters 0x2116f:$a19: get_disabledByRestriction 0x1fdcc:$a20: get_LastAccessed 0x20466:$a21: get_avatarType 0x21d99:$a22: get_signaturePresets 0x20a40:$a23: get_enableLog 0x20275:$a26: set_accountName 0x221c3:$a27: set_InternalServerPort 0x1fb6d:$a28: set_bindingConfigurationUID 0x21d5f:$a29: set_IdnAddress 0x2247d:$a30: set_GuidMasterKey 0x202d0:$a31: set_username
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Technical information zip.exe.4493998.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.4493998.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.4493998.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2ef49:$s1: get_kbok 0x2f87d:$s2: get_CHoo 0x304d8:$s3: set_passwordIsSet 0x2ed4d:$s4: get_enableLog 0x333f7:$s8: torbrowser 0x31dd3:$s10: logins 0x3174b:$s11: credential 0x2e133:$g1: get_Clipboard 0x2e141:$g2: get_Keyboard 0x2e14e:$g3: get_Password 0x2f72b:$g4: get_CtrlKeyDown 0x2f73b:$g5: get_ShiftKeyDown 0x2f74c:$g6: get_AltKeyDown
0.2.Technical information zip.exe.4493998.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2f48e:$a3: MailAccountConfiguration 0x2f4a7:$a5: SmtpAccountConfiguration 0x2f46e:$a8: set_BindingAccountConfiguration 0x2e3ce:$a11: get_securityProfile 0x2e26f:$a12: get_useSeparateFolderTree 0x2fbd1:$a13: get_DnsResolver 0x2e67e:$a14: get_archivingScope 0x2e4a6:$a15: get_providerName 0x30bbc:$a17: get_priority 0x30190:$a18: get_advancedParameters 0x2f5a8:$a19: get_disabledByRestriction 0x2e045:$a20: get_LastAccessed 0x2e718:$a21: get_avatarType 0x302a7:$a22: get_signaturePresets 0x2ed4d:$a23: get_enableLog 0x2e523:$a26: set_accountName 0x306f2:$a27: set_InternalServerPort 0x2d984:$a28: set_bindingConfigurationUID 0x3026d:$a29: set_IdnAddress 0x30a70:$a30: set_GuidMasterKey 0x2e57e:$a31: set_username
0.2.Technical information zip.exe.44c9bb8.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.44c9bb8.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.44c9bb8.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2ef49:$s1: get_kbok 0x2f87d:$s2: get_CHoo 0x304d8:$s3: set_passwordIsSet 0x2ed4d:$s4: get_enableLog 0x333f7:$s8: torbrowser 0x31dd3:$s10: logins 0x3174b:$s11: credential 0x2e133:$g1: get_Clipboard 0x2e141:$g2: get_Keyboard 0x2e14e:$g3: get_Password 0x2f72b:$g4: get_CtrlKeyDown 0x2f73b:$g5: get_ShiftKeyDown 0x2f74c:$g6: get_AltKeyDown
0.2.Technical information zip.exe.44c9bb8.8.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2f48e:$a3: MailAccountConfiguration 0x2f4a7:$a5: SmtpAccountConfiguration 0x2f46e:$a8: set_BindingAccountConfiguration 0x2e3ce:$a11: get_securityProfile 0x2e26f:$a12: get_useSeparateFolderTree 0x2fbd1:$a13: get_DnsResolver 0x2e67e:$a14: get_archivingScope 0x2e4a6:$a15: get_providerName 0x30bbc:$a17: get_priority 0x30190:$a18: get_advancedParameters 0x2f5a8:$a19: get_disabledByRestriction 0x2e045:$a20: get_LastAccessed 0x2e718:$a21: get_avatarType 0x302a7:$a22: get_signaturePresets 0x2ed4d:$a23: get_enableLog 0x2e523:$a26: set_accountName 0x306f2:$a27: set_InternalServerPort 0x2d984:$a28: set_bindingConfigurationUID 0x3026d:$a29: set_IdnAddress 0x30a70:$a30: set_GuidMasterKey 0x2e57e:$a31: set_username
6.0.Technical information zip.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.Technical information zip.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.Technical information zip.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.0.Technical information zip.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d49:$s1: get_kbok 0x3167d:$s2: get_CHoo 0x322d8:$s3: set_passwordIsSet 0x30b4d:$s4: get_enableLog 0x351f7:$s8: torbrowser 0x33bd3:$s10: logins 0x3354b:$s11: credential 0x2ff33:$g1: get_Clipboard 0x2ff41:$g2: get_Keyboard 0x2ff4e:$g3: get_Password 0x3152b:$g4: get_CtrlKeyDown 0x3153b:$g5: get_ShiftKeyDown 0x3154c:$g6: get_AltKeyDown
6.0.Technical information zip.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3128e:$a3: MailAccountConfiguration 0x312a7:$a5: SmtpAccountConfiguration 0x3126e:$a8: set_BindingAccountConfiguration 0x301ce:$a11: get_securityProfile 0x3006f:$a12: get_useSeparateFolderTree 0x319d1:$a13: get_DnsResolver 0x3047e:$a14: get_archivingScope 0x302a6:$a15: get_providerName 0x329bc:$a17: get_priority 0x31f90:$a18: get_advancedParameters 0x313a8:$a19: get_disabledByRestriction 0x2fe45:$a20: get_LastAccessed 0x30518:$a21: get_avatarType 0x320a7:$a22: get_signaturePresets 0x30b4d:$a23: get_enableLog 0x30323:$a26: set_accountName 0x324f2:$a27: set_InternalServerPort 0x2f784:$a28: set_bindingConfigurationUID 0x3206d:$a29: set_IdnAddress 0x32870:$a30: set_GuidMasterKey 0x3037e:$a31: set_username
0.0.Technical information zip.exe.ee0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Technical information zip.exe.44c9bb8.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.44c9bb8.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.44c9bb8.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Technical information zip.exe.44c9bb8.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d49:$s1: get_kbok 0x66d69:$s1: get_kbok 0x3167d:$s2: get_CHoo 0x6769d:$s2: get_CHoo 0x322d8:$s3: set_passwordIsSet 0x682f8:$s3: set_passwordIsSet 0x30b4d:$s4: get_enableLog 0x66b6d:$s4: get_enableLog 0x351f7:$s8: torbrowser 0x6b217:$s8: torbrowser 0x33bd3:$s10: logins 0x69bf3:$s10: logins 0x3354b:$s11: credential 0x6956b:$s11: credential 0x2ff33:$g1: get_Clipboard 0x65f53:$g1: get_Clipboard 0x2ff41:$g2: get_Keyboard 0x65f61:$g2: get_Keyboard 0x2ff4e:$g3: get_Password 0x65f6e:$g3: get_Password 0x3152b:$g4: get_CtrlKeyDown
0.2.Technical information zip.exe.44c9bb8.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9c2df:$s1: file:/// 0x1116ff:$s1: file:/// 0x9c1ef:$s2: {11111-22222-10009-11112} 0x11160f:$s2: {11111-22222-10009-11112} 0x9c26f:$s3: {11111-22222-50001-00000} 0x11168f:$s3: {11111-22222-50001-00000} 0x99523:$s4: get_Module 0x10e943:$s4: get_Module 0x30606:$s5: Reverse 0x66626:$s5: Reverse 0x9999c:$s5: Reverse 0x10edbc:$s5: Reverse 0x3291f:$s6: BlockCopy 0x6893f:$s6: BlockCopy 0x9b9b1:$s6: BlockCopy 0x110dd1:$s6: BlockCopy 0x308a7:$s7: ReadByte 0x668c7:$s7: ReadByte 0x9c2f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x111711:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.Technical information zip.exe.44c9bb8.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3128e:$a3: MailAccountConfiguration 0x672ae:$a3: MailAccountConfiguration 0x312a7:$a5: SmtpAccountConfiguration 0x672c7:$a5: SmtpAccountConfiguration 0x3126e:$a8: set_BindingAccountConfiguration 0x6728e:$a8: set_BindingAccountConfiguration 0x301ce:$a11: get_securityProfile 0x661ee:$a11: get_securityProfile 0x3006f:$a12: get_useSeparateFolderTree 0x6608f:$a12: get_useSeparateFolderTree 0x319d1:$a13: get_DnsResolver 0x679f1:$a13: get_DnsResolver 0x3047e:$a14: get_archivingScope 0x6649e:$a14: get_archivingScope 0x302a6:$a15: get_providerName 0x662c6:$a15: get_providerName 0x329bc:$a17: get_priority 0x689dc:$a17: get_priority 0x31f90:$a18: get_advancedParameters 0x67fb0:$a18: get_advancedParameters 0x313a8:$a19: get_disabledByRestriction
0.2.Technical information zip.exe.445b978.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.445b978.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.445b978.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Technical information zip.exe.445b978.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x68d69:$s1: get_kbok 0x9ef89:$s1: get_kbok 0xd4fa9:$s1: get_kbok 0x6969d:$s2: get_CHoo 0x9f8bd:$s2: get_CHoo 0xd58dd:$s2: get_CHoo 0x6a2f8:$s3: set_passwordIsSet 0xa0518:$s3: set_passwordIsSet 0xd6538:$s3: set_passwordIsSet 0x68b6d:$s4: get_enableLog 0x9ed8d:$s4: get_enableLog 0xd4dad:$s4: get_enableLog 0x6d217:$s8: torbrowser 0xa3437:$s8: torbrowser 0xd9457:$s8: torbrowser 0x6bbf3:$s10: logins 0xa1e13:$s10: logins 0xd7e33:$s10: logins 0x6b56b:$s11: credential 0xa178b:$s11: credential 0xd77ab:$s11: credential
0.2.Technical information zip.exe.445b978.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x10a51f:$s1: file:/// 0x17f93f:$s1: file:/// 0x10a42f:$s2: {11111-22222-10009-11112} 0x17f84f:$s2: {11111-22222-10009-11112} 0x10a4af:$s3: {11111-22222-50001-00000} 0x17f8cf:$s3: {11111-22222-50001-00000} 0x107763:$s4: get_Module 0x17cb83:$s4: get_Module 0x68626:$s5: Reverse 0x9e846:$s5: Reverse 0xd4866:$s5: Reverse 0x107bdc:$s5: Reverse 0x17cffc:$s5: Reverse 0x6a93f:$s6: BlockCopy 0xa0b5f:$s6: BlockCopy 0xd6b7f:$s6: BlockCopy 0x109bf1:$s6: BlockCopy 0x17f011:$s6: BlockCopy 0x688c7:$s7: ReadByte 0x9eae7:$s7: ReadByte 0xd4b07:$s7: ReadByte
0.2.Technical information zip.exe.445b978.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x692ae:$a3: MailAccountConfiguration 0x9f4ce:$a3: MailAccountConfiguration 0xd54ee:$a3: MailAccountConfiguration 0x692c7:$a5: SmtpAccountConfiguration 0x9f4e7:$a5: SmtpAccountConfiguration 0xd5507:$a5: SmtpAccountConfiguration 0x6928e:$a8: set_BindingAccountConfiguration 0x9f4ae:$a8: set_BindingAccountConfiguration 0xd54ce:$a8: set_BindingAccountConfiguration 0x681ee:$a11: get_securityProfile 0x9e40e:$a11: get_securityProfile 0xd442e:$a11: get_securityProfile 0x6808f:$a12: get_useSeparateFolderTree 0x9e2af:$a12: get_useSeparateFolderTree 0xd42cf:$a12: get_useSeparateFolderTree 0x699f1:$a13: get_DnsResolver 0x9fc11:$a13: get_DnsResolver 0xd5c31:$a13: get_DnsResolver 0x6849e:$a14: get_archivingScope 0x9e6be:$a14: get_archivingScope 0xd46de:$a14: get_archivingScope
0.2.Technical information zip.exe.4493998.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.4493998.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Technical information zip.exe.4493998.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Technical information zip.exe.4493998.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d49:$s1: get_kbok 0x66f69:$s1: get_kbok 0x9cf89:$s1: get_kbok 0x3167d:$s2: get_CHoo 0x6789d:$s2: get_CHoo 0x9d8bd:$s2: get_CHoo 0x322d8:$s3: set_passwordIsSet 0x684f8:$s3: set_passwordIsSet 0x9e518:$s3: set_passwordIsSet 0x30b4d:$s4: get_enableLog 0x66d6d:$s4: get_enableLog 0x9cd8d:$s4: get_enableLog 0x351f7:$s8: torbrowser 0x6b417:$s8: torbrowser 0xa1437:$s8: torbrowser 0x33bd3:$s10: logins 0x69df3:$s10: logins 0x9fe13:$s10: logins 0x3354b:$s11: credential 0x6976b:$s11: credential 0x9f78b:$s11: credential
0.2.Technical information zip.exe.4493998.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd24ff:$s1: file:/// 0x14791f:$s1: file:/// 0xd240f:$s2: {11111-22222-10009-11112} 0x14782f:$s2: {11111-22222-10009-11112} 0xd248f:$s3: {11111-22222-50001-00000} 0x1478af:$s3: {11111-22222-50001-00000} 0xcf743:$s4: get_Module 0x144b63:$s4: get_Module 0x30606:$s5: Reverse 0x66826:$s5: Reverse 0x9c846:$s5: Reverse 0xcfbbc:$s5: Reverse 0x144fdc:$s5: Reverse 0x3291f:$s6: BlockCopy 0x68b3f:$s6: BlockCopy 0x9eb5f:$s6: BlockCopy 0xd1bd1:$s6: BlockCopy 0x146ff1:$s6: BlockCopy 0x308a7:$s7: ReadByte 0x66ac7:$s7: ReadByte 0x9cae7:$s7: ReadByte
0.2.Technical information zip.exe.4493998.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3128e:$a3: MailAccountConfiguration 0x674ae:$a3: MailAccountConfiguration 0x9d4ce:$a3: MailAccountConfiguration 0x312a7:$a5: SmtpAccountConfiguration 0x674c7:$a5: SmtpAccountConfiguration 0x9d4e7:$a5: SmtpAccountConfiguration 0x3126e:$a8: set_BindingAccountConfiguration 0x6748e:$a8: set_BindingAccountConfiguration 0x9d4ae:$a8: set_BindingAccountConfiguration 0x301ce:$a11: get_securityProfile 0x663ee:$a11: get_securityProfile 0x9c40e:$a11: get_securityProfile 0x3006f:$a12: get_useSeparateFolderTree 0x6628f:$a12: get_useSeparateFolderTree 0x9c2af:$a12: get_useSeparateFolderTree 0x319d1:$a13: get_DnsResolver 0x67bf1:$a13: get_DnsResolver 0x9dc11:$a13: get_DnsResolver 0x3047e:$a14: get_archivingScope 0x6669e:$a14: get_archivingScope 0x9c6be:$a14: get_archivingScope
Click to see the 27 entries

Snort Signatures

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 162.215.255.143

Timestamp:	192.168.2.4162.215.255.143497805872840032 08/08/22-17:23:56.548969
SID:	2840032
Source Port:	49780
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.4 - Destination IP: 162.215.255.143

Timestamp:	192.168.2.4162.215.255.143497805872839723 08/08/22-17:23:56.548892
SID:	2839723
Source Port:	49780
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 162.215.255.143

Timestamp:	192.168.2.4162.215.255.143497805872851779 08/08/22-17:23:56.548969
SID:	2851779
Source Port:	49780
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 162.215.255.143

Timestamp:	192.168.2.4162.215.255.143497805872030171 08/08/22-17:23:56.548892
SID:	2030171
Source Port:	49780
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 6.0.Technical information zip.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 6.0.Technical information zip.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales@cabletraychina.com", "Password": "Jhdq2017#", "Host": "mail.cabletraychina.com"}

Source: Technical information zip.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Technical information zip.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49780 -> 162.215.255.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49780 -> 162.215.255.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49780 -> 162.215.255.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.4:49780 -> 162.215.255.143:587

Yara detected Generic Downloader

Source: Yara match	File source: Technical information zip.exe, type: SAMPLE
Source: Yara match	File source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Technical information zip.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE

Source: Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://YXbeSX.com
Source: Technical information zip.exe	String found in binary or memory: http://boards.4chan.org/b/
Source: Technical information zip.exe	String found in binary or memory: http://boards.4chan.org3Retrieving
Source: Technical information zip.exe, 00000006.00000002.534958591.0000000003659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cabletraychina.com
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Technical information zip.exe	String found in binary or memory: http://images.4chan.org/
Source: Technical information zip.exe, 00000006.00000002.534958591.0000000003659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.cabletraychina.com
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Technical information zip.exe, 00000006.00000002.535012857.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000002.534899990.000000000364F000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000002.534929052.0000000003653000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://GQ0wtPGdRTxOSCfi6tDx.net
Source: Technical information zip.exe, 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.cabletraychina.com

Source: Technical information zip.exe, 00000000.00000002.298204334.0000000001748000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 6.0.Technical information zip.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bAD45BFCAu002dFFC7u002d4A3Bu002dA103u002d50B83C31D5E4u007d/u00329B1881Bu002d2231u002d45D6u002dAF5Du002d402FCB22D10F.cs

Large array initialization: .cctor: array initializer size 11940

Source: Technical information zip.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\Technical information zip.exe	Code function: 0_2_05793DC4	0_2_05793DC4
Source: C:\Users\user\Desktop\Technical information zip.exe	Code function: 0_2_05798458	0_2_05798458
Source: C:\Users\user\Desktop\Technical information zip.exe	Code function: 6_2_031246A0	6_2_031246A0
Source: C:\Users\user\Desktop\Technical information zip.exe	Code function: 6_2_03124690	6_2_03124690
Source: C:\Users\user\Desktop\Technical information zip.exe	Code function: 6_2_0312DA00	6_2_0312DA00

Source: Technical information zip.exe, 00000000.00000002.311102033.0000000007A80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000003.276120039.00000000078E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezznbyWxpDWxUCOhKNmqQnkhPaGcZHEXDqEsKkZ.exe4 vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000002.300920210.0000000003413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000000.252119494.0000000000FD0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSharedL.exe: vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000002.311262906.0000000007AB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000002.298204334.0000000001748000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000002.311693868.0000000007C50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs Technical information zip.exe
Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezznbyWxpDWxUCOhKNmqQnkhPaGcZHEXDqEsKkZ.exe4 vs Technical information zip.exe
Source: Technical information zip.exe, 00000006.00000000.294305896.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezznbyWxpDWxUCOhKNmqQnkhPaGcZHEXDqEsKkZ.exe4 vs Technical information zip.exe
Source: Technical information zip.exe	Binary or memory string: OriginalFilenameSharedL.exe: vs Technical information zip.exe

Source: Technical information zip.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Technical information zip.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Technical information zip.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Technical information zip.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Technical information zip.exe "C:\Users\user\Desktop\Technical information zip.exe"
Source: C:\Users\user\Desktop\Technical information zip.exe	Process created: C:\Users\user\Desktop\Technical information zip.exe C:\Users\user\Desktop\Technical information zip.exe
Source: C:\Users\user\Desktop\Technical information zip.exe	Process created: C:\Users\user\Desktop\Technical information zip.exe C:\Users\user\Desktop\Technical information zip.exe	Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Technical information zip.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Technical information zip.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/0

Source: Technical information zip.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Technical information zip.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: Technical information zip.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: Technical information zip.exe, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: Technical information zip.exe, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Technical information zip.exe, Scraper/frmMain.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/Archiving/Zip/Compression/Streams/DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/Archiving/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/frmMain.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.Technical information zip.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.Technical information zip.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\Technical information zip.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Technical information zip.exe

Static file information: File size 1343488 > 1048576

Source: Technical information zip.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Technical information zip.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Technical information zip.exe, Scraper/frmMain.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Technical information zip.exe.ee0000.0.unpack, Scraper/frmMain.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: initial sample

Static PE information: section name: .text entropy: 7.613311750792489

Source: C:\Users\user\Desktop\Technical information zip.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Technical information zip.exe, 00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Technical information zip.exe, 00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Technical information zip.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Technical information zip.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Technical information zip.exe TID: 1400	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe TID: 5596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe TID: 4776	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe TID: 6072	Thread sleep count: 9844 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe

Window / User API: threadDelayed 9844

Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Technical information zip.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Technical information zip.exe, 00000006.00000002.525531534.00000000015C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Technical information zip.exe, 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Technical information zip.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Technical information zip.exe

Memory written: C:\Users\user\Desktop\Technical information zip.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe

Process created: C:\Users\user\Desktop\Technical information zip.exe C:\Users\user\Desktop\Technical information zip.exe

Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Users\user\Desktop\Technical information zip.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Users\user\Desktop\Technical information zip.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Technical information zip.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Technical information zip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Technical information zip.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Technical information zip.exe

File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: Yara match	File source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Technical information zip.exe.4493998.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.44c9bb8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.Technical information zip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.44c9bb8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.445b978.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Technical information zip.exe.4493998.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Technical information zip.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Technical information zip.exe PID: 6128, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	211 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Technical information zip.exe	10%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.Technical information zip.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://GQ0wtPGdRTxOSCfi6tDx.net	0%	Avira URL Cloud	safe
http://cabletraychina.com	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://YXbeSX.com	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://boards.4chan.org3Retrieving	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://mail.cabletraychina.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cabletraychina.com	162.215.255.143	true	true		unknown
mail.cabletraychina.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://DynDns.comDynDNS	Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://boards.4chan.org/b/	Technical information zip.exe	false		high
http://www.fontbureau.com/designers?	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://GQ0wtPGdRTxOSCfi6tDx.net	Technical information zip.exe, 00000006.00000002.535012857.0000000003661000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000002.534899990.000000000364F000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000002.534929052.0000000003653000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cabletraychina.com	Technical information zip.exe, 00000006.00000002.534958591.0000000003659000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://YXbeSX.com	Technical information zip.exe, 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://boards.4chan.org3Retrieving	Technical information zip.exe	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://images.4chan.org/	Technical information zip.exe	false		high
http://www.urwpp.deDPlease	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Technical information zip.exe, 00000000.00000002.309109555.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Technical information zip.exe, 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Technical information zip.exe, 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.cabletraychina.com	Technical information zip.exe, 00000006.00000002.534958591.0000000003659000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680483
Start date and time: 08/08/202217:20:35	2022-08-08 17:20:35 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Technical information zip.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 32 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.152.110.14, 20.54.89.106, 40.125.122.176, 20.223.24.244, 52.242.101.226
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:21:59	API Interceptor	607x Sleep call for process: Technical information zip.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

Process:	C:\Users\user\Desktop\Technical information zip.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.803329289885253
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Technical information zip.exe
File size:	1343488
MD5:	ca033c84f5a37105d613c6961b724e97
SHA1:	23f023abfef70de9ee2c909fbef985254b2abe26
SHA256:	bfcb8ee096a65d7ec9201b67df585a7e715aaaa0aa2dcfec2e6ff208b3559498
SHA512:	24efc400092f7fa258e68b2326ad9e075643aa007b7c2de0d50fa0379821e0ea797d2ed771687193e1bc0c3ebd486e59a627743d3094640af859f3e6e47383e2
SSDEEP:	24576:VmZs7cDzhEUKK1j2iU3AMYnC1e9IbUDHDl:Vm67c3xXfU3RYn07U
TLSH:	8A559E17AFA076C8F4B75BB9DC1F68D043F5EC09616AD2692E5078BA1FBA301D401E27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.b..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	f0f0ccd6d4c4f0e8

Static PE Info

General

Entrypoint:	0x4edb02
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F06317 [Mon Aug 8 01:12:55 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
mov bh, 1Dh
rol dword ptr [esi+ebp*2], 3Bh
or byte ptr [ecx], FFFFFFD9h
inc ebx
or eax, 130476DCh
imul ebp, dword ptr [ebx-3Bh], 17h
mov dl, 4Dh
xchg byte ptr [edx], bl
add eax, B81E4750h
in eax, dx
or byte ptr [esi], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xedab0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf0000	0x5ab5c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xece80	0xed000	False	0.747269127439346	data	7.613311750792489	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf0000	0x5ab5c	0x5ac00	False	0.0600330363292011	data	2.6135874634094827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14c000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xf0208	0x42028	data
RT_ICON	0x132230	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x132698	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x134c40	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x135ce8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x146510	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0x14a738	0x5a	data
RT_GROUP_ICON	0x14a794	0x3e	data
RT_VERSION	0x14a7d4	0x388	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4162.215.255.143497805872840032 08/08/22-17:23:56.548969	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49780	587	192.168.2.4	162.215.255.143
192.168.2.4162.215.255.143497805872839723 08/08/22-17:23:56.548892	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49780	587	192.168.2.4	162.215.255.143
192.168.2.4162.215.255.143497805872851779 08/08/22-17:23:56.548969	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49780	587	192.168.2.4	162.215.255.143
192.168.2.4162.215.255.143497805872030171 08/08/22-17:23:56.548892	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49780	587	192.168.2.4	162.215.255.143

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 17:23:54.512552977 CEST	60647	53	192.168.2.4	8.8.8.8
Aug 8, 2022 17:23:54.689174891 CEST	53	60647	8.8.8.8	192.168.2.4
Aug 8, 2022 17:23:54.692245960 CEST	64909	53	192.168.2.4	8.8.8.8
Aug 8, 2022 17:23:54.860028028 CEST	53	64909	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 17:23:54.512552977 CEST	192.168.2.4	8.8.8.8	0xebe9	Standard query (0)	mail.cabletraychina.com	A (IP address)	IN (0x0001)
Aug 8, 2022 17:23:54.692245960 CEST	192.168.2.4	8.8.8.8	0x8e2a	Standard query (0)	mail.cabletraychina.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 17:23:54.689174891 CEST	8.8.8.8	192.168.2.4	0xebe9	No error (0)	mail.cabletraychina.com	cabletraychina.com		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 17:23:54.689174891 CEST	8.8.8.8	192.168.2.4	0xebe9	No error (0)	cabletraychina.com		162.215.255.143	A (IP address)	IN (0x0001)
Aug 8, 2022 17:23:54.860028028 CEST	8.8.8.8	192.168.2.4	0x8e2a	No error (0)	mail.cabletraychina.com	cabletraychina.com		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 17:23:54.860028028 CEST	8.8.8.8	192.168.2.4	0x8e2a	No error (0)	cabletraychina.com		162.215.255.143	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	17:21:46
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Technical information zip.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Technical information zip.exe"
Imagebase:	0xee0000
File size:	1343488 bytes
MD5 hash:	CA033C84F5A37105D613C6961B724E97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.305256005.000000000445B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.304226940.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.299934426.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	17:22:05
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Technical information zip.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Technical information zip.exe
Imagebase:	0xed0000
File size:	1343488 bytes
MD5 hash:	CA033C84F5A37105D613C6961B724E97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.293840755.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000006.00000002.527868401.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	2

Executed Functions

Function 05793DC4 Relevance: .7, Instructions: 668
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.307328761.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb534481214a6eb9dff560653d1e7ea79f082f6b9d4dbff44088e946f9b343c0
Instruction ID: 913dc605b119360fdc7f47812136477304ea421b6a219669ba0e83099e704b42
Opcode Fuzzy Hash: fb534481214a6eb9dff560653d1e7ea79f082f6b9d4dbff44088e946f9b343c0
Instruction Fuzzy Hash: 2662FB34A00219CFCB54DBA4C994BEDB7B2FF89304F2085A9D40AAB354DB35AD89DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05798458 Relevance: .7, Instructions: 661
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.307328761.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690045e94acda1aba85bb3d0a5524c4ebfe670ce472cfe855a6cdef31a08a1b9
Instruction ID: 98dc7119ddb002b15e22f22b1d1fb76879ad5af9bde08389dbc6d98373be06b6
Opcode Fuzzy Hash: 690045e94acda1aba85bb3d0a5524c4ebfe670ce472cfe855a6cdef31a08a1b9
Instruction Fuzzy Hash: DE62EB34A00219CFCB54DBA4C994BEDB7B2FF89304F1085A9D40AAB354DB35AE89DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05793F84 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 057955C9

Memory Dump Source

Source File: 00000000.00000002.307328761.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Technical information zip.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 956a91b5ffa2fea1be1be83987bd576ad0609d060e96a0198371515960c505ec
Instruction ID: 871f0ae3777a10ffd4cbec0c7f5d16585dd41c6e19ca9a5a161e69e6a5330e9f
Opcode Fuzzy Hash: 956a91b5ffa2fea1be1be83987bd576ad0609d060e96a0198371515960c505ec
Instruction Fuzzy Hash: CA41D271C0066CCBDF24DFAAC984BDDBBB6BF48304F208069D409AB251DB756949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0579550C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 057955C9

Memory Dump Source

Source File: 00000000.00000002.307328761.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Technical information zip.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 029f74f7de15927e1ff8df9f0cdcdcd8e2c3c678cf28833eea2a4cfc8bf64028
Instruction ID: 6e08e308d159512b5bd94f1c27eb8a9e946e12cddca619a5fa1e075f3f2eb4e1
Opcode Fuzzy Hash: 029f74f7de15927e1ff8df9f0cdcdcd8e2c3c678cf28833eea2a4cfc8bf64028
Instruction Fuzzy Hash: 0F41D071C00668CBDB24CFAAC985BDEBBB5BF48304F248169D409BB251DB756949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0579BEE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0579DF5E,?,?,?,?,?), ref: 0579E01F

Memory Dump Source

Source File: 00000000.00000002.307328761.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Technical information zip.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c7c1d710c0bff69315b0601b1e26eb29778032bc2e8793dba20bda051a6b7717
Instruction ID: 8f74300500fd1957ec76512e0e91304a4975f6292115b6f068ff871e898abd38
Opcode Fuzzy Hash: c7c1d710c0bff69315b0601b1e26eb29778032bc2e8793dba20bda051a6b7717
Instruction Fuzzy Hash: FB21E3B5D00209AFDF10CF9AD984AEEBBF9EB48320F14841AE914A7710D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0579BB58 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0579C031,00000800,00000000,00000000), ref: 0579C242

Memory Dump Source

Source File: 00000000.00000002.307328761.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Technical information zip.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8a614ef3c825fa7a787f88e778b2b6a9a6290d03096befec048edfe35a188a46
Instruction ID: 06e3f1cb2be42976880ddc46f481699fb727c7d0f88a0c6cd985c52bbfb8aea0
Opcode Fuzzy Hash: 8a614ef3c825fa7a787f88e778b2b6a9a6290d03096befec048edfe35a188a46
Instruction Fuzzy Hash: 051114B69002499FDF14CF9AD444BDEFBF8EB48320F04842AE915A7710C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0579BF50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0579BFB6

Memory Dump Source

Source File: 00000000.00000002.307328761.0000000005790000.00000040.00000800.00020000.00000000.sdmp, Offset: 05790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5790000_Technical information zip.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 24fdf8e84a53507ad340d3cc6fe8697d14e844488b7700b41ae1849864cb7f00
Instruction ID: 417350b0fde8896d943bda4e8514af76101f653e5d18cd8f7cd5033e4f51237e
Opcode Fuzzy Hash: 24fdf8e84a53507ad340d3cc6fe8697d14e844488b7700b41ae1849864cb7f00
Instruction Fuzzy Hash: 5811DFB6D042498FCB14CF9AE444BDEFBF5AB88224F14842AD429B7710C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015DD400 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297351637.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15dd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11927c4e47cfad7f61b79f1967f72d1178fd36710313d697605969ef0074921c
Instruction ID: 0d3ad9af5b803b789a9f00be07a70aaa598dfa01763186d657a00b0a6eb9f35f
Opcode Fuzzy Hash: 11927c4e47cfad7f61b79f1967f72d1178fd36710313d697605969ef0074921c
Instruction Fuzzy Hash: 4D21F472504240DFDB25DF58D9C0B9ABFB5FB84324F24C569D8050F686C37AE846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 015DD4EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297351637.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15dd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc83501dc99375757d260ec97355aa4d3f25810d83cf4f83fb3b26eef458a2f
Instruction ID: 9ca5156bfacae36e9f59c25ef8ad5329a89e5d680c7a73525fdf30bdec793db6
Opcode Fuzzy Hash: 8cc83501dc99375757d260ec97355aa4d3f25810d83cf4f83fb3b26eef458a2f
Instruction Fuzzy Hash: 502128B1504240EFDB21DF98D9C0B6ABFB5FB88328F648969D8050F687C336D855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297422844.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ed000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef426f02d63b73b4d0e2aa527cff612f8d8dd4580199b86f8041e49af23e720
Instruction ID: 5c90b12d2defad529e6d75273ac622d398f75aeeb68e9c0c3387d341c79e83c0
Opcode Fuzzy Hash: fef426f02d63b73b4d0e2aa527cff612f8d8dd4580199b86f8041e49af23e720
Instruction Fuzzy Hash: 6321FF75A042409FDB19CF54D8C8B2ABFF1FB84264F28C969D8094F646D33AD806CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 015ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297422844.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ed000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53cf5f0e361b44357f0e540892ae43f092cf327c783e5927d3e9bd85bffd73db
Instruction ID: 5820348888a1488ee1e405c0a2d0922839f057f72acf19f0900316db1f359293
Opcode Fuzzy Hash: 53cf5f0e361b44357f0e540892ae43f092cf327c783e5927d3e9bd85bffd73db
Instruction Fuzzy Hash: BD210375904240EFDB09CF54D9C4B2ABBF1FB84224F20CAA9D8094F642C33AD806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 015ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297422844.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ed000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1143de718383b7f365e11a37391d10965a4d4cf82d784cead8f596539e39980d
Instruction ID: 507c0bc1eaf75739c601ef955c5d7ddbca42379d28c0b92be70c5576c9100662
Opcode Fuzzy Hash: 1143de718383b7f365e11a37391d10965a4d4cf82d784cead8f596539e39980d
Instruction Fuzzy Hash: F4218E755093808FCB06CF24D994B15BFB1FB46214F28C5EAD8498F667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 015DD3FB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297351637.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15dd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction ID: 8b1a45a8e88b40751142cac568ec1d45829faa98fa865bedb984a73cfbcb2e12
Opcode Fuzzy Hash: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction Fuzzy Hash: F011B176404280CFCB12CF58D9C4B5ABF71FB84324F24C6A9D8040B657C37AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015DD4E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297351637.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15dd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction ID: 7bc98a4e2ca5ea695c512167cf14dafd7f085b495d98af3a1b6a0f5f5ced9faa
Opcode Fuzzy Hash: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction Fuzzy Hash: 9811B176404280CFCB12CF58D9C4B1ABF72FB88324F24C6A9D8054B657C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 015ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297422844.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ed000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e43bc81a3ff9705b917d63333e3be4ed1b9938392dd5ea36af53da639c8dcacc
Instruction ID: 9044518eb4ad6309168eaa23dfcca812aeb6f4d157a37038f8c6367281019455
Opcode Fuzzy Hash: e43bc81a3ff9705b917d63333e3be4ed1b9938392dd5ea36af53da639c8dcacc
Instruction Fuzzy Hash: 9C118B75904280DFDB16CF54D5C4B19FFB1FB84224F28C6AAD8494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 015DD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297351637.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15dd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ad4ba6ea33db359071fb8519c751616639ea2be117be8abdfe83bcc1454317
Instruction ID: 648665d4ee5c11b7840a3c0fd15309beeb3e2ef9e3610951661eba7661ef758e
Opcode Fuzzy Hash: 22ad4ba6ea33db359071fb8519c751616639ea2be117be8abdfe83bcc1454317
Instruction Fuzzy Hash: E601D832508384AAE7204B59CC84766FBE8FF41224F09849AE9084E787C7799844C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 015DD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.297351637.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15dd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1188133e7ebdafaa95b633e6b961cb01b678a7f9a74ec76995611e111bb2bc15
Instruction ID: 48fa3ee5c4c5c8e1f61b85a1843def6eaedf90a52af92dcfc062c9010b0b2e8a
Opcode Fuzzy Hash: 1188133e7ebdafaa95b633e6b961cb01b678a7f9a74ec76995611e111bb2bc15
Instruction Fuzzy Hash: 64F06272404384AEE7218A59DC84B66FFA8EF41675F18C45AED085F787C379A844CBB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Technical information zip.exePID: 6128, Parent PID: 4828COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	86
Total number of Limit Nodes:	5

Executed Functions

Function 0312691F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 031269A0
GetCurrentThread.KERNEL32 ref: 031269DD
GetCurrentProcess.KERNEL32 ref: 03126A1A
GetCurrentThreadId.KERNEL32 ref: 03126A73

Strings

f"zS, xrefs: 0312695C

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: Current$ProcessThread
String ID: f"zS
API String ID: 2063062207-594703487
Opcode ID: 1b98369a9392a7d53040421893a0e385387e6d77cef9043ffbfb34b319699888
Instruction ID: b66e5e08292a9c561cd30df20915340ac7e3d5c3ce683518024a957b891c5963
Opcode Fuzzy Hash: 1b98369a9392a7d53040421893a0e385387e6d77cef9043ffbfb34b319699888
Instruction Fuzzy Hash: 8D5166B4A002498FDB10DFAADA897DEBFF1EF49304F24815AD009A77A0D7749884CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03126940 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 031269A0
GetCurrentThread.KERNEL32 ref: 031269DD
GetCurrentProcess.KERNEL32 ref: 03126A1A
GetCurrentThreadId.KERNEL32 ref: 03126A73

Strings

f"zS, xrefs: 0312695C

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: Current$ProcessThread
String ID: f"zS
API String ID: 2063062207-594703487
Opcode ID: 2f2773874f49da64f611e517695bafd83f8537ade951df915ec5470fccd9466b
Instruction ID: f4ecc8d2a725f07d02adce651e39f5b792102469dab3de73a39781c92bdad31c
Opcode Fuzzy Hash: 2f2773874f49da64f611e517695bafd83f8537ade951df915ec5470fccd9466b
Instruction Fuzzy Hash: 725154B4A002498FDB10DFAAD649BEEBBF1EB48304F208059E419A77A0D7749884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 03125084 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031251A2

Strings

f"zS, xrefs: 031250BE
f"zS, xrefs: 031250DE

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: CreateWindow
String ID: f"zS$f"zS
API String ID: 716092398-2253807152
Opcode ID: 129fd4182a9b01e28fc184e554f6b41939937d17b52317ae87c063a412569274
Instruction ID: 62f7c0af5d322127048794ef7525bb07078d62be161b541250de27ab0614003d
Opcode Fuzzy Hash: 129fd4182a9b01e28fc184e554f6b41939937d17b52317ae87c063a412569274
Instruction Fuzzy Hash: CD51C1B1D102199FDB14CFA9C984ADEFFB6FF48314F24822AE815AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03125090 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 031251A2

Strings

f"zS, xrefs: 031250BE
f"zS, xrefs: 031250DE

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: CreateWindow
String ID: f"zS$f"zS
API String ID: 716092398-2253807152
Opcode ID: a1bdb1609a50d476d86d5997444d9cf540a3e6cec9fbd09b68d660a97e2cded9
Instruction ID: 44aeae716fc9e6a6285fc04779a19621d5862b06a757f38c828a1fab5a7bd40f
Opcode Fuzzy Hash: a1bdb1609a50d476d86d5997444d9cf540a3e6cec9fbd09b68d660a97e2cded9
Instruction Fuzzy Hash: 2941BEB1D103199FDB14CF99C984ADEFFB6BF48314F24812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0312779C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 03127F11

Strings

f"zS, xrefs: 03127E67

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: CallProcWindow
String ID: f"zS
API String ID: 2714655100-594703487
Opcode ID: 17304297b27d5b9215c423dfb82275c7d0b8d71e4866356ea3daab500fc69214
Instruction ID: 2b86ff909ae5c5cd2dfbdb06fdce660a965011551b2646652b98a73656ce0114
Opcode Fuzzy Hash: 17304297b27d5b9215c423dfb82275c7d0b8d71e4866356ea3daab500fc69214
Instruction Fuzzy Hash: 004129B5A00259CFCB14CF99C488AABBBF5FF8C314F158459E429A7761D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0312C199 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0312C222

Strings

f"zS, xrefs: 0312C1BF

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: EncodePointer
String ID: f"zS
API String ID: 2118026453-594703487
Opcode ID: 6128b1f80703a9a1098c6df1692c98340929f22129e9f5254f72a2e7be7f2dec
Instruction ID: 97574f2c9d762c2fb950ecba05e7be10f233209055cd256ab82f8107717ab105
Opcode Fuzzy Hash: 6128b1f80703a9a1098c6df1692c98340929f22129e9f5254f72a2e7be7f2dec
Instruction Fuzzy Hash: F2310E708053958FCB10EFA8E94A3DEBFF4EB4A704F18805AC408AB252CB385445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03126B62 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03126BEF

Strings

f"zS, xrefs: 03126B87

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: DuplicateHandle
String ID: f"zS
API String ID: 3793708945-594703487
Opcode ID: 2b42fb65281ecbfaabbdc6b907797bca24365a7e6a2edd12dd59ec8977cc310b
Instruction ID: 31308164d466ea2e1e2d8f354f9ff0f71e3d580407eff9283a42530e2514f46e
Opcode Fuzzy Hash: 2b42fb65281ecbfaabbdc6b907797bca24365a7e6a2edd12dd59ec8977cc310b
Instruction Fuzzy Hash: 5921DFB5D012499FDB10CFA9D984AEEBBF4EB48320F14851AE814A3750D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03126B68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03126BEF

Strings

f"zS, xrefs: 03126B87

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: DuplicateHandle
String ID: f"zS
API String ID: 3793708945-594703487
Opcode ID: c8bb658d5c940d95fbd0ce472aa15637f420a569db82fec6b18adf2c688eac3a
Instruction ID: 184da958f4e2ac05bae8cf76e7f8f9adfaf3962d204f8123f26046b92d4bf24a
Opcode Fuzzy Hash: c8bb658d5c940d95fbd0ce472aa15637f420a569db82fec6b18adf2c688eac3a
Instruction Fuzzy Hash: 2921E3B59002499FDB10CF99D984ADEFBF8EB48320F14841AE814A3750D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0312C1A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0312C222

Strings

f"zS, xrefs: 0312C1BF

Memory Dump Source

Source File: 00000006.00000002.526751243.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3120000_Technical information zip.jbxd

Similarity

API ID: EncodePointer
String ID: f"zS
API String ID: 2118026453-594703487
Opcode ID: 05c5b1153eda4ff959e168a5ba089d1d61628d3e7602fcb0e029813604a4f816
Instruction ID: 60f19d6ac29fc01d1e98e5c53e1ea1ac16092e3bbc717515ba8eaf9fa0c3f55f
Opcode Fuzzy Hash: 05c5b1153eda4ff959e168a5ba089d1d61628d3e7602fcb0e029813604a4f816
Instruction Fuzzy Hash: 4F11837090035A8FCB20EFA9D94979EBFF8EB49714F14802AD404A7640DB38A5858FA5

Uniqueness

Uniqueness Score: -1.00%

Function 017CD450 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.525840083.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17cd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f961b2dc8782ac39e51b21779b1b4c0ea77324d6af0a660d30b80029d882f661
Instruction ID: f4a1dadb4c32fe73d39fe2288b6e3347d0effd919aceb875a19e938e764f1d34
Opcode Fuzzy Hash: f961b2dc8782ac39e51b21779b1b4c0ea77324d6af0a660d30b80029d882f661
Instruction Fuzzy Hash: 0421FEB1504240AFDB219F54E8C0BA7FB61FB88724F2085ADE9054A606C336E806CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 017CD53C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.525840083.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17cd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39d6994dcf01406a0493fbf583fbf160a513f621c3a97be527b78f8480158e2
Instruction ID: e6678bcb05dd1061928ad803815d0b9da924f4c953a147d31b310b6fe9e7a609
Opcode Fuzzy Hash: d39d6994dcf01406a0493fbf583fbf160a513f621c3a97be527b78f8480158e2
Instruction Fuzzy Hash: 802100B2500240EFDB11DF44E9C0B66FF61FB98728F2085BDE8054B646C336D806CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 017DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.525926923.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17dd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2d9740448c2714f0a2b8f258c596bdecd0a9000e678662ca05228c9083e218
Instruction ID: 0861a56d55391c40acdf18f178960f9db8bd803ea132eb374b032c4f159fa31e
Opcode Fuzzy Hash: cb2d9740448c2714f0a2b8f258c596bdecd0a9000e678662ca05228c9083e218
Instruction Fuzzy Hash: 1D212575604248DFDB21DF54D9C0B16FB75FB88354F24C9A9D8094B786C336D806CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 017DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.525926923.00000000017DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17dd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821a3fd581a2a0af3458e4ab9fd5053a2eddfcbcbb98500b3a84d0b7fd16630b
Instruction ID: db782a7017558c0f54fd95bb09828d22bd5419f1aef51b69b8e83f1e66c6a2e3
Opcode Fuzzy Hash: 821a3fd581a2a0af3458e4ab9fd5053a2eddfcbcbb98500b3a84d0b7fd16630b
Instruction Fuzzy Hash: 872180754083849FCB12CF24D994B11BF71EB86214F28C5EAD8498B697C33AD846CB62

Uniqueness

Uniqueness Score: -1.00%

Function 017CD44B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.525840083.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17cd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction ID: b8676926949387e8af5e6b405688e21c660ccb978b2e8018cd50e424768908ec
Opcode Fuzzy Hash: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction Fuzzy Hash: 9A11CA76404280CFCB12CF04E9C0B16FF71FB84324F2886ADD8054A617C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 017CD537 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.525840083.00000000017CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17cd000_Technical information zip.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction ID: 7df1ff99db7797b95b0ea11acb927a4413b3b7b49679d684ffcb370e0de07777
Opcode Fuzzy Hash: 48a914f4b93efc25090f91832e2dda59b37c651b77dec01b5b456fcbaac91247
Instruction Fuzzy Hash: 6A11AF76504280CFCB12CF54D9C4B16FF72FB98724F2486ADD8094B616C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Technical information zip.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Technical information zip.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
Technical information zip.exe

Function 05793DC4 Relevance: .7, Instructions: 668
COMMON

Function 05798458 Relevance: .7, Instructions: 661
COMMON

Function 05793F84 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0579550C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 0579BEE0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0579BB58 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0579BF50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0312691F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
threadCOMMON

Function 03126940 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Function 03125084 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115
COMMON

Function 03125090 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Function 0312779C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Function 0312C199 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Function 03126B62 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Function 03126B68 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Function 0312C1A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON