Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ts.exe_

Overview

General Information

Sample Name:ts.exe_ (renamed file extension from exe_ to exe)
Analysis ID:745562
MD5:ad57d446c107b5abd83b6180456cd0dd
SHA1:8e277fb9bc97bedc7f7f4ba4390cc36702d87b7c
SHA256:58d9d7c2d4a4140bbdc16c9b6ab1b56244ebc8b1c3eaa1fc63386bbce7acdb4c
Infos:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Machine Learning detection for sample
PE file does not import any functions
Yara signature match
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Uses Microsoft's Enhanced Cryptographic Provider
Contains long sleeps (>= 3 min)

Classification

  • System is w10x64
  • ts.exe (PID: 3664 cmdline: C:\Users\user\Desktop\ts.exe MD5: AD57D446C107B5ABD83B6180456CD0DD)
    • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
ts.exeJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    ts.exeWindows_Trojan_Emotet_db7d33faunknownunknown
    • 0xa7cfe:$chunk_0: 4C 8D 9C 24 B0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xaa853:$chunk_0: 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xab94f:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xb218d:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xa6601:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
    • 0xb1a8c:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
    • 0xaa841:$chunk_3: 48 8B 45 27 BB 01 00 00 00 48 89 07 8B 45 2F 89 47 08 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xab93d:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
    • 0xab3a7:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
    • 0xb3d19:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
    • 0xa6272:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 D0 01 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
    • 0xa6615:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
    • 0xa3097:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\62366813.dllJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      C:\Users\user\Desktop\62366813.dllWindows_Trojan_Emotet_db7d33faunknownunknown
      • 0x92ea:$chunk_0: 4C 8D 9C 24 B0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0xbe3f:$chunk_0: 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0xcf3b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x13779:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0x7bed:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
      • 0x13078:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
      • 0xbe2d:$chunk_3: 48 8B 45 27 BB 01 00 00 00 48 89 07 8B 45 2F 89 47 08 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0xcf29:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
      • 0xc993:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
      • 0x15305:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
      • 0x785e:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 D0 01 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
      • 0x7c01:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
      • 0x4683:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmpWindows_Trojan_Emotet_db7d33faunknownunknown
        • 0x8eea:$chunk_0: 4C 8D 9C 24 B0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0xba3f:$chunk_0: 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0xcb3b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0x13379:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0x77ed:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
        • 0x12c78:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
        • 0xba2d:$chunk_3: 48 8B 45 27 BB 01 00 00 00 48 89 07 8B 45 2F 89 47 08 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0xcb29:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
        • 0xc593:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
        • 0x14f05:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
        • 0x745e:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 D0 01 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
        • 0x7801:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
        • 0x4283:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
        00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Emotet_db7d33faunknownunknown
          • 0x92ea:$chunk_0: 4C 8D 9C 24 B0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0xbe3f:$chunk_0: 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0xcf3b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0x13779:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0x7bed:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
          • 0x13078:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
          • 0xbe2d:$chunk_3: 48 8B 45 27 BB 01 00 00 00 48 89 07 8B 45 2F 89 47 08 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0xcf29:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
          • 0xc993:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
          • 0x15305:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
          • 0x785e:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 D0 01 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
          • 0x7c01:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
          • 0x4683:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
          00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            0.3.ts.exe.228231c0000.3.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              0.3.ts.exe.228231c0000.3.unpackWindows_Trojan_Emotet_db7d33faunknownunknown
              • 0x86ea:$chunk_0: 4C 8D 9C 24 B0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
              • 0xb23f:$chunk_0: 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
              • 0xc33b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
              • 0x12b79:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
              • 0x6fed:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
              • 0x12478:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
              • 0xb22d:$chunk_3: 48 8B 45 27 BB 01 00 00 00 48 89 07 8B 45 2F 89 47 08 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
              • 0xc329:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
              • 0xbd93:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
              • 0x14705:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
              • 0x6c5e:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 D0 01 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
              • 0x7001:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
              • 0x3a83:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
              0.3.ts.exe.228233eea14.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0.3.ts.exe.228233eea14.0.unpackWindows_Trojan_Emotet_db7d33faunknownunknown
                • 0x86ea:$chunk_0: 4C 8D 9C 24 B0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
                • 0xb23f:$chunk_0: 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
                • 0xc33b:$chunk_0: 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
                • 0x12b79:$chunk_0: 4C 8D 9C 24 A0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
                • 0x6fed:$chunk_1: 8B C7 41 0F B7 4C 45 00 41 8B 1C 8C 48 03 DD 48 3B DE 72 1B
                • 0x12478:$chunk_2: 48 8B C4 48 89 48 08 48 89 50 10 4C 89 40 18 4C 89 48 20 C3
                • 0xb22d:$chunk_3: 48 8B 45 27 BB 01 00 00 00 48 89 07 8B 45 2F 89 47 08 4C 8D 9C 24 00 01 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
                • 0xc329:$chunk_3: 48 8B 45 3F BB 01 00 00 00 48 89 07 8B 45 47 89 47 08 4C 8D 9C 24 C0 00 00 00 8B C3 49 8B 5B 10 49 8B 73 18 49 8B 7B 20 49 8B E3 5D C3
                • 0xbd93:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
                • 0x14705:$chunk_4: 48 39 3B 4C 8D 9C 24 90 00 00 00 49 8B 5B 10 49 8B 73 20 40 0F 95 C7 8B C7 49 8B 7B 28 49 8B E3 5D C3
                • 0x6c5e:$chunk_5: BE 02 00 00 00 4C 8D 9C 24 D0 01 00 00 8B C6 49 8B 5B 30 49 8B 73 38 49 8B 7B 40 49 8B E3 41 5F 41 5E 41 5D 41 5C 5D C3
                • 0x7001:$chunk_6: 43 8B 84 FE 8C 00 00 00 48 03 C6 48 3B D8 73 0B
                • 0x3a83:$chunk_7: 88 02 48 FF C2 48 FF C3 8A 03 84 C0 75 EE EB 03
                0.3.ts.exe.228231c0000.3.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  Click to see the 9 entries
                  No Sigma rule has matched
                  No Snort rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: ts.exeAvira: detected
                  Source: C:\Users\user\Desktop\62366813.dllAvira: detection malicious, Label: HEUR/AGEN.1251140
                  Source: ts.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58828F0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,0_2_00007FF7A58828F0
                  Source: ts.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDF51C FindFirstFileW,0_2_00007FFA0AEDF51C

                  E-Banking Fraud

                  barindex
                  Source: Yara matchFile source: ts.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\Desktop\62366813.dll, type: DROPPED

                  System Summary

                  barindex
                  Source: ts.exe, type: SAMPLEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: C:\Users\user\Desktop\62366813.dll, type: DROPPEDMatched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
                  Source: 62366813.dll.0.drStatic PE information: No import functions for PE file found
                  Source: ts.exe, type: SAMPLEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: C:\Users\user\Desktop\62366813.dll, type: DROPPEDMatched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58A46E80_2_00007FF7A58A46E8
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A5883DF00_2_00007FF7A5883DF0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58C6D940_2_00007FF7A58C6D94
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A5890B060_2_00007FF7A5890B06
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58A3A400_2_00007FF7A58A3A40
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58DAEB00_2_00007FF7A58DAEB0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588EEF40_2_00007FF7A588EEF4
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58BD6680_2_00007FF7A58BD668
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58BC5A00_2_00007FF7A58BC5A0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58BCDD00_2_00007FF7A58BCDD0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588DDE80_2_00007FF7A588DDE8
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58CE6140_2_00007FF7A58CE614
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A5897D180_2_00007FF7A5897D18
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58C053C0_2_00007FF7A58C053C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58CFD5C0_2_00007FF7A58CFD5C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58C68300_2_00007FF7A58C6830
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58900240_2_00007FF7A5890024
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58CC8540_2_00007FF7A58CC854
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58D88480_2_00007FF7A58D8848
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588D7CC0_2_00007FF7A588D7CC
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A5885FC00_2_00007FF7A5885FC0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58BF7F40_2_00007FF7A58BF7F4
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58BC7880_2_00007FF7A58BC788
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A5882F800_2_00007FF7A5882F80
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58CE1640_2_00007FF7A58CE164
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58BD1600_2_00007FF7A58BD160
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58CEC940_2_00007FF7A58CEC94
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58BC3B80_2_00007FF7A58BC3B8
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58944000_2_00007FF7A5894400
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED61F40_2_00007FFA0AED61F4
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE5F680_2_00007FFA0AEE5F68
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED37500_2_00007FFA0AED3750
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDF51C0_2_00007FFA0AEDF51C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED35180_2_00007FFA0AED3518
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED66AC0_2_00007FFA0AED66AC
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED765C0_2_00007FFA0AED765C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE5B540_2_00007FFA0AEE5B54
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED7AF00_2_00007FFA0AED7AF0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE4AE40_2_00007FFA0AEE4AE4
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDC4800_2_00007FFA0AEDC480
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE443C0_2_00007FFA0AEE443C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED64280_2_00007FFA0AED6428
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED8BDC0_2_00007FFA0AED8BDC
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE03D80_2_00007FFA0AEE03D8
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE19600_2_00007FFA0AEE1960
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE415C0_2_00007FFA0AEE415C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDB1340_2_00007FFA0AEDB134
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED19240_2_00007FFA0AED1924
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED79080_2_00007FFA0AED7908
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDF28C0_2_00007FFA0AEDF28C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED525C0_2_00007FFA0AED525C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDCA5C0_2_00007FFA0AEDCA5C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE5A400_2_00007FFA0AEE5A40
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDE2340_2_00007FFA0AEDE234
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDD1E80_2_00007FFA0AEDD1E8
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED49E40_2_00007FFA0AED49E4
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED89D00_2_00007FFA0AED89D0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED17A00_2_00007FFA0AED17A0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDBF780_2_00007FFA0AEDBF78
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDD7100_2_00007FFA0AEDD710
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDE0900_2_00007FFA0AEDE090
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE38580_2_00007FFA0AEE3858
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE30500_2_00007FFA0AEE3050
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDF0280_2_00007FFA0AEDF028
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED9FD00_2_00007FFA0AED9FD0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDDDA00_2_00007FFA0AEDDDA0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDCD9C0_2_00007FFA0AEDCD9C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED9D680_2_00007FFA0AED9D68
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED65480_2_00007FFA0AED6548
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE0D2C0_2_00007FFA0AEE0D2C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED250C0_2_00007FFA0AED250C
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED5D080_2_00007FFA0AED5D08
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDB4F00_2_00007FFA0AEDB4F0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE1E880_2_00007FFA0AEE1E88
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED56680_2_00007FFA0AED5668
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED86480_2_00007FFA0AED8648
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AED46040_2_00007FFA0AED4604
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE45F00_2_00007FFA0AEE45F0
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEE05C40_2_00007FFA0AEE05C4
                  Source: C:\Users\user\Desktop\ts.exeFile read: C:\Users\user\Desktop\ts.exeJump to behavior
                  Source: ts.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\ts.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ts.exe C:\Users\user\Desktop\ts.exe
                  Source: C:\Users\user\Desktop\ts.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_01
                  Source: C:\Users\user\Desktop\ts.exeFile created: C:\Users\user\Desktop\62366813.dllJump to behavior
                  Source: C:\Users\user\Desktop\ts.exeFile created: C:\Users\user\AppData\Local\Temp\1B9F.tmpJump to behavior
                  Source: classification engineClassification label: mal76.troj.winEXE@2/3@0/0
                  Source: ts.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: ts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: ts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: ts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: ts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: ts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: ts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: ts.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: ts.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: ts.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: ts.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: ts.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: ts.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: ts.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A589ACC4 pushfq ; ret 0_2_00007FF7A589ACC5
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A589AD06 push rbp; iretd 0_2_00007FF7A589AD07
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A5899B8E push rbp; iretd 0_2_00007FF7A5899B8F
                  Source: ts.exeStatic PE information: section name: _RDATA
                  Source: 06B049A8.dll.0.drStatic PE information: section name: _RDATA
                  Source: C:\Users\user\Desktop\ts.exeFile created: C:\Users\user\Desktop\62366813.dllJump to dropped file
                  Source: C:\Users\user\Desktop\ts.exeFile created: C:\Users\user\Desktop\06B049A8.dllJump to dropped file
                  Source: C:\Users\user\Desktop\ts.exe TID: 5720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\ts.exeDropped PE file which has not been started: C:\Users\user\Desktop\06B049A8.dllJump to dropped file
                  Source: C:\Users\user\Desktop\ts.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FFA0AEDF51C FindFirstFileW,0_2_00007FFA0AEDF51C
                  Source: C:\Users\user\Desktop\ts.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7A588B568
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588B110 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,0_2_00007FF7A588B110
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588B710 SetUnhandledExceptionFilter,0_2_00007FF7A588B710
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7A588B568
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588B2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7A588B2BC
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A58BE50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7A58BE50C
                  Source: C:\Users\user\Desktop\ts.exeCode function: GetLocaleInfoEx,0_2_00007FF7A58B4F3C
                  Source: C:\Users\user\Desktop\ts.exeCode function: EnumSystemLocalesW,0_2_00007FF7A58D26B4
                  Source: C:\Users\user\Desktop\ts.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF7A58D5898
                  Source: C:\Users\user\Desktop\ts.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF7A58D60F0
                  Source: C:\Users\user\Desktop\ts.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF7A58D62CC
                  Source: C:\Users\user\Desktop\ts.exeCode function: EnumSystemLocalesW,0_2_00007FF7A58D5CB4
                  Source: C:\Users\user\Desktop\ts.exeCode function: EnumSystemLocalesW,0_2_00007FF7A58D5BE4
                  Source: C:\Users\user\Desktop\ts.exeCode function: GetLocaleInfoW,0_2_00007FF7A58D2BF8
                  Source: C:\Users\user\Desktop\ts.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\ts.exeCode function: 0_2_00007FF7A588B978 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7A588B978

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: ts.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\Desktop\62366813.dll, type: DROPPED
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management InstrumentationPath Interception1
                  Process Injection
                  1
                  Masquerading
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  Exfiltration Over Other Network Medium2
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
                  Virtualization/Sandbox Evasion
                  LSASS Memory1
                  Security Software Discovery
                  Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                  Process Injection
                  Security Account Manager21
                  Virtualization/Sandbox Evasion
                  SMB/Windows Admin SharesData from Network Shared Drive