Edit tour

Windows Analysis Report
VG0x1LZCFb.exe

Overview

General Information

Sample name:	VG0x1LZCFb.exe renamed because original name is a hash value
Original sample name:	906c1863777e91ff508ccb1758ee2f7bdec9cb59f0c251e0a1ddd64d9cc82548.exe
Analysis ID:	1466893
MD5:	f0584ec3946ed12facabaae4789235b7
SHA1:	f58a9f4ea1fb7aa409e029fcb0c976dc680ac034
SHA256:	906c1863777e91ff508ccb1758ee2f7bdec9cb59f0c251e0a1ddd64d9cc82548
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

VG0x1LZCFb.exe (PID: 3212 cmdline: "C:\Users\user\Desktop\VG0x1LZCFb.exe" MD5: F0584EC3946ED12FACABAAE4789235B7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.expresscargoes.net", "Username": "noreply@expresscargoes.net", "Password": "QAZ1234P0#WA"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
VG0x1LZCFb.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
VG0x1LZCFb.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
VG0x1LZCFb.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3533d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x353af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35439:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x354cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35535:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x355a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3563d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x356cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.4562988090.00000000027C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000000.2120961167.0000000000352000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2120961167.0000000000352000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.4562988090.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4562988090.00000000027A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: VG0x1LZCFb.exe PID: 3212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VG0x1LZCFb.exe PID: 3212	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.VG0x1LZCFb.exe.350000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.VG0x1LZCFb.exe.350000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.0.VG0x1LZCFb.exe.350000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3533d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x353af:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35439:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x354cb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35535:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x355a7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3563d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x356cd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.255.149.48, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\VG0x1LZCFb.exe, Initiated: true, ProcessId: 3212, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49711

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VG0x1LZCFb.exe

Avira: detected

Found malware configuration

Source: VG0x1LZCFb.exe

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.expresscargoes.net", "Username": "noreply@expresscargoes.net", "Password": "QAZ1234P0#WA"}

Multi AV Scanner detection for submitted file

Source: VG0x1LZCFb.exe

ReversingLabs: Detection: 91%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: VG0x1LZCFb.exe

Joe Sandbox ML: detected

Source: VG0x1LZCFb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49710 version: TLS 1.2

Source: VG0x1LZCFb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 51.255.149.48:587

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 51.255.149.48:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.expresscargoes.net

Source: VG0x1LZCFb.exe, 00000000.00000002.4562988090.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, VG0x1LZCFb.exe, 00000000.00000002.4562988090.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://expresscargoes.net
Source: VG0x1LZCFb.exe, 00000000.00000002.4562988090.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, VG0x1LZCFb.exe, 00000000.00000002.4562988090.000000000283A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.expresscargoes.net
Source: VG0x1LZCFb.exe, 00000000.00000002.4562988090.0000000002751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VG0x1LZCFb.exe	String found in binary or memory: https://account.dyn.com/
Source: VG0x1LZCFb.exe	String found in binary or memory: https://api.ipify.org
Source: VG0x1LZCFb.exe, 00000000.00000002.4562988090.0000000002751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: VG0x1LZCFb.exe, 00000000.00000002.4562988090.0000000002751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49710 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: VG0x1LZCFb.exe, R1W.cs

.Net Code: PRQ3eCEJ

Installs a global keyboard hook

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\VG0x1LZCFb.exe

Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: VG0x1LZCFb.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.VG0x1LZCFb.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D7A1A0	0_2_00D7A1A0
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D7D4F8	0_2_00D7D4F8
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D799D0	0_2_00D799D0
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D74A98	0_2_00D74A98
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D73E80	0_2_00D73E80
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D741C8	0_2_00D741C8
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_06300448	0_2_06300448
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_06308A48	0_2_06308A48
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_0630BB58	0_2_0630BB58
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_063033A0	0_2_063033A0
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_063043E0	0_2_063043E0
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_06303AE8	0_2_06303AE8
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_06305871	0_2_06305871
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_063051A0	0_2_063051A0
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_06A137A0	0_2_06A137A0

Source: VG0x1LZCFb.exe, 00000000.00000000.2120994361.0000000000390000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamef3f7789a-01a3-4aaf-bdda-c44b7356b92c.exe4 vs VG0x1LZCFb.exe
Source: VG0x1LZCFb.exe, 00000000.00000002.4562329246.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs VG0x1LZCFb.exe
Source: VG0x1LZCFb.exe, 00000000.00000002.4561810776.0000000000738000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs VG0x1LZCFb.exe
Source: VG0x1LZCFb.exe	Binary or memory string: OriginalFilenamef3f7789a-01a3-4aaf-bdda-c44b7356b92c.exe4 vs VG0x1LZCFb.exe

Source: VG0x1LZCFb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: VG0x1LZCFb.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.VG0x1LZCFb.exe.350000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: VG0x1LZCFb.exe, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VG0x1LZCFb.exe, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VG0x1LZCFb.exe, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VG0x1LZCFb.exe, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VG0x1LZCFb.exe, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VG0x1LZCFb.exe, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VG0x1LZCFb.exe, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VG0x1LZCFb.exe, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: VG0x1LZCFb.exe

Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.V!

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Mutant created: NULL

Source: VG0x1LZCFb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: VG0x1LZCFb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VG0x1LZCFb.exe

ReversingLabs: Detection: 91%

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: VG0x1LZCFb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: VG0x1LZCFb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D7A190 push eax; ret	0_2_00D7A191
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D70CCC push edi; retf	0_2_00D70C7A
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Code function: 0_2_00D70C45 push ebx; retf	0_2_00D70C52

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Memory allocated: CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Window / User API: threadDelayed 1805			Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Window / User API: threadDelayed 8024			Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 6060	Thread sleep count: 1805 > 30	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 6060	Thread sleep count: 8024 > 30	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98246s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99876s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99751s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99626s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99501s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99376s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99251s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -99110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98918s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -98079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe TID: 2612	Thread sleep time: -97579s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98246	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97202	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97093	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99876	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99751	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99626	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99501	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99376	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99251	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 99110	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98918	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98704	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98579	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98454	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98329	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98204	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 98079	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97954	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97829	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97704	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Thread delayed: delay time: 97579	Jump to behavior

Source: VG0x1LZCFb.exe	Binary or memory string: hgfsZrw6
Source: VG0x1LZCFb.exe, 00000000.00000002.4564517320.0000000005AA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Queries volume information: C:\Users\user\Desktop\VG0x1LZCFb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: VG0x1LZCFb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VG0x1LZCFb.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4562988090.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2120961167.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562988090.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VG0x1LZCFb.exe PID: 3212, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\VG0x1LZCFb.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: VG0x1LZCFb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VG0x1LZCFb.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2120961167.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562988090.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VG0x1LZCFb.exe PID: 3212, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: VG0x1LZCFb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.VG0x1LZCFb.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4562988090.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2120961167.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4562988090.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VG0x1LZCFb.exe PID: 3212, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	141 Virtualization/Sandbox Evasion	21 Input Capture	111 Security Software Discovery	Remote Desktop Protocol	21 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
VG0x1LZCFb.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
VG0x1LZCFb.exe	100%	Avira	TR/Spy.Gen8
VG0x1LZCFb.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
expresscargoes.net	51.255.149.48	true	true	unknown
api.ipify.org	104.26.13.205	true	false	unknown
mail.expresscargoes.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	VG0x1LZCFb.exe	false	URL Reputation: safe	unknown
https://account.dyn.com/	VG0x1LZCFb.exe	false	URL Reputation: safe	unknown
https://api.ipify.org/t	VG0x1LZCFb.exe, 00000000.00000002.4562988090.0000000002751000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	VG0x1LZCFb.exe, 00000000.00000002.4562988090.0000000002751000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.255.149.48	expresscargoes.net	France		16276	OVHFR	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466893
Start date and time:	2024-07-03 14:50:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VG0x1LZCFb.exe renamed because original name is a hash value
Original Sample Name:	906c1863777e91ff508ccb1758ee2f7bdec9cb59f0c251e0a1ddd64d9cc82548.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 64 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: VG0x1LZCFb.exe

Simulations

Behavior and APIs

Time	Type	Description
08:50:55	API Interceptor	11649211x Sleep call for process: VG0x1LZCFb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51.255.149.48	file.exe	Get hash	malicious	Unknown	Browse
104.26.13.205	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	Ransom.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ld.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	ArenaWarSetup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	q7r87KTHbc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	New Orders 116403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	TRANEXAMIC ACID & CAMPHANEDIOL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Project_ref_03072024_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	PI and payment confirmed pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	_Account Receipt.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	2024.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	B24E33 ENQUIRY.vbe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	AWB 3609 961.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://lnkd.in/exwPeXjc	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://www-bbc-co-uk.cdn.ampproject.org/c/s/ANToniopneus.com.br/dayo/laits/captcha/ZGUud2l0dGUuYm9ub0BkZW1lLWdyb3VwLmNvbQ==$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://netorg40617-my.sharepoint.com/:o:/g/personal/negin_eeeasc_com/EkVB7FirdotMvG978qS6ihUB3Y22hA6ZH5YE34JME34-Pg?e=5%3aGZ1JUi&at=9	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://hr.economictimes.indiatimes.com/etl.php?url=https:*Ahr.economictimes.indiatimes.cometl.phpurl=Ayrtdtrdtyuikmmoix.pages.dev*Aemail=bWphY2tzb25AdHFsLmNvbQ==__;Ly8vPy8vIz8!!HkjQSg!xM0xOkWiB4abX6VJj84K1M3pVXJBP_GNPKTGuCBQdGUHkKmAbpL4OU1gL4uMAa_niGNzFWaU4aO2SbOw3s8pm3wmWgo$	Get hash	malicious	Unknown	Browse	104.19.178.52
	https://inpzk.useringimportdulcimer.ink/?=vxkncwole9	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://netorg7716231-my.sharepoint.com/:f:/g/personal/schamness_jessenmfg_com/EpvvFD967V1ApGKFME3zg84BIzVZPMLc9RCaE7D0w7YFPA?e=hGdbPg	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://u6071375.ct.sendgrid.net/ls/click?upn=u001.jNebCYco-2BJgBMGJDj1kJWP39IKixFvDeSBij1PLovvXT0hkMSWjEhuIEgwQ-2F309CwGFmoY6-2Bl45VLW7K9Sd8-2Fg-3D-3Dm1D8_bgsmQmhs-2BDkrnAcljUiGIti1-2F3303-2FliL2Lyr586-2FN9rAlBFKILfRyjObk6Iz5-2FtMSxC-2FhiWOZXbqnmzeZXBiy3CSpPIYxz2-2BTcFMtFX6z-2FFKaL9cuMNNsd9H8Soth9M-2BiGwIhw5kRyphke6a8RYyV0rtdDONsX7lNk6Cr796v-2FIJZ8nzBJ39o6b-2FDySakEM-2B9nvScrgUWzDogJp7LxfPQ-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.18.10.212
	http://www.cajamar-soporte.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	1mXbuDDPbF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	k8TljgjfDl.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
OVHFR	https://us-east-2.protection.sophos.com/?d=beehiiv.com&u=aHR0cHM6Ly9saW5rLm1haWwuYmVlaGlpdi5jb20vbHMvY2xpY2s_dXBuPXUwMDEublhka2JOSUpSeEZBS3VJWUJaMjU1N3l4Ujd6TmpDcFhIYW5SQnlyQXY3ZHMzMDZEQ091c3dBUU0yYzhiZFN4b1BudElFVWpoUzJhdzI1aDJUcWNiZVVCdXQ3WEhqcHZMejN4aS0yRnBZN2NYb3RNbXNIRlVyUkd5RDAzTGhIZms2a2E1ZGZEVFpCSlVkWnpOandHYUJsR0x3U1B4MlN1TVNIWEl5ZlI3YVdDNW1aeFNQLTJCUWFOUmpzMlpwblRwbmxpLTJGX245c19sZUtscWNRUnJvOGtNTXJocHFZOENpeTQ4MnhLUmJTM1NZcE16TVUtMkY5c0VvdjNqMExCNE1kOVZ3WUJvOEY2bEhJTllZbE90LTJGcjRQd1FwOXdCVmFuUXpmRy0yQnZlaFF5WVBjamlVbFpSN3VSaHJFbWFrLTJCYXY5T2RyYldyREphTmo3ck1iNmlhckR2Rjh1d2xPeDZ5VFY5ODFHLTJGejZiRDczakVOVHk4M0pXa2kzVzNTSzRBRURwQjd3dEg4blRyZ203ZjYxaEg2enlzYjFLYVl0S0pyWUJjU2QxNTN2SDQ5eDlTeW5acVZ0TGdqN2RrWU1FRkE1NzV6WWF6b2UwQmw2UnVUM1RHTkJiU2JpOHhUNUFnRGJMUjY4TlU1ay0yRmtDVFJtOHJrWWRMSDBNRGgtMkY3c1J6dVE4TEJxeDBvQzZ6WXVFQk0xRVFBdGI3eGxMZVEtMkJ5SEtiOE4yVHV0TFdpVEk4amc4b3U5MTkxRlM5SDEyLTJCbnJpT0hESVo2Nk1yd3pIeTRScFBQWlAtMkJ0Y1NscGt2Z01HT2F5Nmx6UGlCdE1MeGRrODI5eGU3TThFT1VLRDR2UHIxZFdYZ3c3MjFQQjFNa3k=&i=NWNiNGNiOGY1NWZlOGIxMTAwZmUxN2Uy&t=YUVvbWN0aDQzMW4yV29uam9nK2tUNmU1dStvM2VicUNJeENiWDR5Zk1nTT0=&h=ddfea45e1610491898abc824d1dabad5&s=AVNPUEhUT0NFTkNSWVBUSVaKXvCVdmaYUeJ4sMCGgh9xhnT0RF3qCfPvI6ciaUbnMg	Get hash	malicious	Unknown	Browse	66.70.176.204
	https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//bgvhdjcbjfdhjkbgfddgfghgfd.pages.dev/#?email=dGVzdEB0ZXN0by5jb20=	Get hash	malicious	Unknown	Browse	149.202.238.104
	watchdog.elf	Get hash	malicious	Mirai	Browse	142.44.221.54
	spc.elf	Get hash	malicious	Mirai	Browse	51.71.23.37
	https://supp-review9482.eu/	Get hash	malicious	Unknown	Browse	94.23.17.185
	http://multichaindappsx.pages.dev/	Get hash	malicious	Unknown	Browse	51.255.68.171
	44zg1cvu.msg	Get hash	malicious	HTMLPhisher	Browse	51.38.145.13
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	51.178.195.216
	s.exe	Get hash	malicious	ScreenConnect Tool	Browse	51.77.100.220
	s.exe	Get hash	malicious	ScreenConnect Tool	Browse	51.77.100.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.13.205
	https://lnkd.in/exwPeXjc	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	https://inpzk.useringimportdulcimer.ink/?=vxkncwole9	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.13.205
	http://www.cajamar-soporte.com	Get hash	malicious	Unknown	Browse	104.26.13.205
	1mXbuDDPbF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.26.13.205
	k8TljgjfDl.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.13.205
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhSZp6GshBFVdVLEzBsru52fhlDAZ8Q3OfCA-2F-2Bk2qB9l25yp_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZM3qYZS8WARR8FVyg-2FqvoINWytiD-2FheyMDzu6v-2BoRt5KWyPoztbWkeGPmxB3DyZYTb9a0dAMPLFunr2Ay3ayAFAAvKLYcNXJh5TbSbsyQLthHxBhJhxiFX8keWC7AD3Hw3SgmU-2Be6lkIQuq7tgnHL9CbCr8GEaIyKgtaL1D3uFR7kdAbCakzZIHLBzzIP6uu3b9lr3L70N6m-2FPL5vz2WpJ-2B4Z2WkXjdKV6CAWTeZlidHHDlZecGQIcrIqiWGF6jpeY-3D#Dsonya.buzzard@aggregate.com	Get hash	malicious	Unknown	Browse	104.26.13.205
	q7r87KTHbc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	fKSLpv8s1v.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.13.205

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.0093666190893025
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	VG0x1LZCFb.exe
File size:	248'832 bytes
MD5:	f0584ec3946ed12facabaae4789235b7
SHA1:	f58a9f4ea1fb7aa409e029fcb0c976dc680ac034
SHA256:	906c1863777e91ff508ccb1758ee2f7bdec9cb59f0c251e0a1ddd64d9cc82548
SHA512:	ba3c56dcbf49102b7293f6e1e2543668ffc700a352208be48a388cdf03a09f85b7b7366a4e58f6d0f629d76b812822fa5a0efe8ffdb9c2010252e14d94515f19
SSDEEP:	3072:rfznzvDu7CYtOsaPDUGAaVIPhVBrP2xtezLAf5spKS6hc:rfznzvDu7zOsu1IwLefAUKdh
TLSH:	6334FE037E88EB15E5A87E3782EF6C2413F2B0C71633C60B6F49AE6518516426D7E72D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Of................................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43e0fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x664F00EA [Thu May 23 08:40:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3e0a8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40000	0x546	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x42000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3c104	0x3c200	1662ff8de3986c2ef093b32386749986	False	0.3580512603950104	data	5.020659103859821	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x40000	0x546	0x600	c9aac46056b95e6c552f0c78f7a87f9c	False	0.3990885416666667	data	3.9922933899819766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x42000	0xc	0x200	07132586ab33dc2b707c51e01c65522a	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x400a0	0x2bc	data			0.44142857142857145
RT_MANIFEST	0x4035c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 14:50:55.727543116 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:55.727572918 CEST	443	49710	104.26.13.205	192.168.2.6
Jul 3, 2024 14:50:55.727660894 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:55.735373020 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:55.735388994 CEST	443	49710	104.26.13.205	192.168.2.6
Jul 3, 2024 14:50:56.222157001 CEST	443	49710	104.26.13.205	192.168.2.6
Jul 3, 2024 14:50:56.222270966 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:56.225907087 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:56.225914955 CEST	443	49710	104.26.13.205	192.168.2.6
Jul 3, 2024 14:50:56.226151943 CEST	443	49710	104.26.13.205	192.168.2.6
Jul 3, 2024 14:50:56.268258095 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:56.296401024 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:56.340507984 CEST	443	49710	104.26.13.205	192.168.2.6
Jul 3, 2024 14:50:56.409030914 CEST	443	49710	104.26.13.205	192.168.2.6
Jul 3, 2024 14:50:56.409082890 CEST	443	49710	104.26.13.205	192.168.2.6
Jul 3, 2024 14:50:56.409133911 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:56.429538965 CEST	49710	443	192.168.2.6	104.26.13.205
Jul 3, 2024 14:50:57.054249048 CEST	49711	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:50:57.059155941 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:50:57.059228897 CEST	49711	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:50:57.973027945 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:50:57.974553108 CEST	49711	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:50:57.979518890 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:50:58.154546976 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:50:58.156016111 CEST	49711	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:50:58.160872936 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:50:58.331581116 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:50:58.332674980 CEST	49711	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:50:58.338809967 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:00.142119884 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:00.142524958 CEST	49711	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:00.147452116 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:00.317382097 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:00.317859888 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:00.317930937 CEST	49711	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:00.323214054 CEST	49711	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:00.328083992 CEST	587	49711	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:00.374967098 CEST	49713	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:00.380074978 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:00.380163908 CEST	49713	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:01.554433107 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:01.554586887 CEST	49713	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:01.560247898 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:01.736784935 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:01.737015963 CEST	49713	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:01.742324114 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:05.944520950 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:05.944825888 CEST	49713	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:05.952310085 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:08.499800920 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:08.502593040 CEST	49713	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:08.507616997 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:08.693523884 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:08.693852901 CEST	49713	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:08.694345951 CEST	587	49713	51.255.149.48	192.168.2.6
Jul 3, 2024 14:51:08.694422007 CEST	49713	587	192.168.2.6	51.255.149.48
Jul 3, 2024 14:51:08.698677063 CEST	587	49713	51.255.149.48	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 14:50:55.715183973 CEST	54206	53	192.168.2.6	1.1.1.1
Jul 3, 2024 14:50:55.722693920 CEST	53	54206	1.1.1.1	192.168.2.6
Jul 3, 2024 14:50:57.022212982 CEST	64278	53	192.168.2.6	1.1.1.1
Jul 3, 2024 14:50:57.053117990 CEST	53	64278	1.1.1.1	192.168.2.6
Jul 3, 2024 14:51:16.807754040 CEST	53	60240	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 14:50:55.715183973 CEST	192.168.2.6	1.1.1.1	0xc37d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:50:57.022212982 CEST	192.168.2.6	1.1.1.1	0x1b41	Standard query (0)	mail.expresscargoes.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 14:50:55.722693920 CEST	1.1.1.1	192.168.2.6	0xc37d	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:50:55.722693920 CEST	1.1.1.1	192.168.2.6	0xc37d	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:50:55.722693920 CEST	1.1.1.1	192.168.2.6	0xc37d	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:50:57.053117990 CEST	1.1.1.1	192.168.2.6	0x1b41	No error (0)	mail.expresscargoes.net	expresscargoes.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:50:57.053117990 CEST	1.1.1.1	192.168.2.6	0x1b41	No error (0)	expresscargoes.net		51.255.149.48	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.26.13.205	443	3212	C:\Users\user\Desktop\VG0x1LZCFb.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:50:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-03 12:50:56 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 12:50:56 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89d7010e28594326-EWR
2024-07-03 12:50:56 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 3, 2024 14:50:57.973027945 CEST	587	49711	51.255.149.48	192.168.2.6	220-gra109.truehost.cloud ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 15:50:57 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 14:50:57.974553108 CEST	49711	587	192.168.2.6	51.255.149.48	EHLO 992547
Jul 3, 2024 14:50:58.154546976 CEST	587	49711	51.255.149.48	192.168.2.6	250-gra109.truehost.cloud Hello 992547 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 14:50:58.156016111 CEST	49711	587	192.168.2.6	51.255.149.48	AUTH login bm9yZXBseUBleHByZXNzY2FyZ29lcy5uZXQ=
Jul 3, 2024 14:50:58.331581116 CEST	587	49711	51.255.149.48	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 14:51:00.142119884 CEST	587	49711	51.255.149.48	192.168.2.6	535 Incorrect authentication data
Jul 3, 2024 14:51:00.142524958 CEST	49711	587	192.168.2.6	51.255.149.48	MAIL FROM:<noreply@expresscargoes.net>
Jul 3, 2024 14:51:00.317382097 CEST	587	49711	51.255.149.48	192.168.2.6	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
Jul 3, 2024 14:51:01.554433107 CEST	587	49713	51.255.149.48	192.168.2.6	220-gra109.truehost.cloud ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 15:51:01 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 14:51:01.554586887 CEST	49713	587	192.168.2.6	51.255.149.48	EHLO 992547
Jul 3, 2024 14:51:01.736784935 CEST	587	49713	51.255.149.48	192.168.2.6	250-gra109.truehost.cloud Hello 992547 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 3, 2024 14:51:01.737015963 CEST	49713	587	192.168.2.6	51.255.149.48	AUTH login bm9yZXBseUBleHByZXNzY2FyZ29lcy5uZXQ=
Jul 3, 2024 14:51:05.944520950 CEST	587	49713	51.255.149.48	192.168.2.6	334 UGFzc3dvcmQ6
Jul 3, 2024 14:51:08.499800920 CEST	587	49713	51.255.149.48	192.168.2.6	535 Incorrect authentication data
Jul 3, 2024 14:51:08.502593040 CEST	49713	587	192.168.2.6	51.255.149.48	MAIL FROM:<noreply@expresscargoes.net>
Jul 3, 2024 14:51:08.693523884 CEST	587	49713	51.255.149.48	192.168.2.6	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

Target ID:	0
Start time:	08:50:53
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\VG0x1LZCFb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VG0x1LZCFb.exe"
Imagebase:	0x350000
File size:	248'832 bytes
MD5 hash:	F0584EC3946ED12FACABAAE4789235B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4562988090.00000000027C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2120961167.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.2120961167.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4562988090.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4562988090.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.6%
Total number of Nodes:	71
Total number of Limit Nodes:	6

Executed Functions

Function 00D7A1A0 Relevance: 3.1, Instructions: 3104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a4d47c00a2da28318af1a733dc25182b33059dbe1212521702f73fe6257b7f
Instruction ID: 17a0aadf5a095c4f2dc4873cb1d54737600371e693c474e2beb237b6c3b9eedb
Opcode Fuzzy Hash: a8a4d47c00a2da28318af1a733dc25182b33059dbe1212521702f73fe6257b7f
Instruction Fuzzy Hash: 1B630931D10B1A8ADB11EF68C8806A9F7B1FF99300F55D79AE45877121FB70AAC5CB81

Function 00D7D4F8 Relevance: 2.3, Instructions: 2300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79be92f785d5b375fd0889ff6b5a00d92097bd98e92af406099c5906db572ed
Instruction ID: 7280df9eb0a08f9e985b268f87ce3f8ab0129cc82aad159860760523c3f7e026
Opcode Fuzzy Hash: c79be92f785d5b375fd0889ff6b5a00d92097bd98e92af406099c5906db572ed
Instruction Fuzzy Hash: 31331C31D107198ADB11EF68C8806ADF7B1FF99300F15C79AE459A7221FB70AAC5CB91

Function 06A137A0 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4565343740.0000000006A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a10000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304418a7dff9cae8b9b867b01de90e70b6b5f1f1f85c0e86d2a715d80ba44049
Instruction ID: af41ae4f6d12a14b067cdbcb29213b025eadd064a1a034f7db2d1c4098e17b58
Opcode Fuzzy Hash: 304418a7dff9cae8b9b867b01de90e70b6b5f1f1f85c0e86d2a715d80ba44049
Instruction Fuzzy Hash: D3F11830E00219CFEF54EFA9C948B9DBBB2BF48314F158559E405AF265DB71E949CB80

Function 063033A0 Relevance: 1.8, Strings: 1, Instructions: 598
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 0630371D

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 708b531eacbe1d4d4af5ec137db8f8d2bbb68758acf9bce56354e1a19d4725b6
Instruction ID: cfcbfaf8fa12d39fef5dfc3a46a33382faac665e4e2e36077d2262bf0bf4e312
Opcode Fuzzy Hash: 708b531eacbe1d4d4af5ec137db8f8d2bbb68758acf9bce56354e1a19d4725b6
Instruction Fuzzy Hash: 1022BF35F0024A9FEF64DFA4C5A06AEBBB2EF85310F208469D455AB391DB35DC49CB90

Function 06300448 Relevance: 1.5, Instructions: 1530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bb34c353c074c6a46d1f5d9fa7b612ce5ab7364dace44936c5b18c4f0a3a5
Instruction ID: 2f416a4c8900ee40eb5aa0236cd9ac55c19ddc619ddd939e72f397037e73dbdf
Opcode Fuzzy Hash: 845bb34c353c074c6a46d1f5d9fa7b612ce5ab7364dace44936c5b18c4f0a3a5
Instruction Fuzzy Hash: B6E21934E00209CFEB64DB68C594B9DB7B2EF85300F5485A9D449AB391EB35ED89CF90

Function 00D73E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V(m, xrefs: 00D740CB

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID: \V(m
API String ID: 0-2800782923
Opcode ID: a2cbc4c64182aa7a4f3f48319898307934f2656f0d1622389844af005eeabcce
Instruction ID: 67169fb1c87b8a16e6a6f6efef129c6bf78150710a68961a9a63f5f627b13144
Opcode Fuzzy Hash: a2cbc4c64182aa7a4f3f48319898307934f2656f0d1622389844af005eeabcce
Instruction Fuzzy Hash: 3C915E70E00309CFDF15DFA9C88579DBBF2AF88354F14C129E819A7294EB749985CBA1

Function 063043E0 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93896f455a6259d9c1923af371ca3f40205a1f11b8f451724c4f541a37bc95c
Instruction ID: bbdf169342405e0d10dfb005c676aa5f7bea75c39f4bc821771dbe8454484bf1
Opcode Fuzzy Hash: e93896f455a6259d9c1923af371ca3f40205a1f11b8f451724c4f541a37bc95c
Instruction Fuzzy Hash: 86228D34A00205CFEB64DB68D594BADB7F2EF85310F148469E616DB392DB35ED4ACB80

Function 00D799D0 Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65f342cdda2ffba45953ff9d48d696bf1bd88c957fd838404cc39de6cfad676
Instruction ID: 70792d1019c6b8ed32bf06ced28219b499b9d1e1ca9dd2313000e50d02bf36d7
Opcode Fuzzy Hash: f65f342cdda2ffba45953ff9d48d696bf1bd88c957fd838404cc39de6cfad676
Instruction Fuzzy Hash: 34125C35A002058FDB14DF68D594AADFBB2EF89310F24C569E909DB355EB35DC42CBA0

Function 06308A48 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c589445ff9fe622a404fa39e9ebfb78abe3be975ab6764f04c0e02daf593a63
Instruction ID: 6112ac462ac8df8a12839b438135fd16c5724e0e5e944214b2d87dd0e0fda719
Opcode Fuzzy Hash: 9c589445ff9fe622a404fa39e9ebfb78abe3be975ab6764f04c0e02daf593a63
Instruction Fuzzy Hash: CBB19530B04218CFEF58EB75A86467E7BB7AFC4610B19856ED506E7388DE348C0A87D1

Function 0630BB58 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557b66a20fd9d4990ec4294554e3866fece70838cd97378beec44a8226cd92a4
Instruction ID: c8d2f867e6e1c4796dd2c64bb816fd7127f9a1bffaa71fbd1e4076128fa3eb3d
Opcode Fuzzy Hash: 557b66a20fd9d4990ec4294554e3866fece70838cd97378beec44a8226cd92a4
Instruction Fuzzy Hash: AEB1A171E002199FEB65DF69C8507AEFBB5FB89310F10852AE506EB390CB359909CBD1

Function 00D74A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9ed639e1ba6114c8f9ab725fcb9c42c4c45fe4858b6a8763b5f75e197796e3
Instruction ID: d89c3a9573e61173d8581453bd78091a1a80fc4fe11d91f913489109632a1e23
Opcode Fuzzy Hash: 6f9ed639e1ba6114c8f9ab725fcb9c42c4c45fe4858b6a8763b5f75e197796e3
Instruction Fuzzy Hash: 64B14E70E002198FDB12CFA9C88579DBBF2AF88714F18C129D859E7294FB749C45CB91

Function 00D74810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V(m, xrefs: 00D749D2
\V(m, xrefs: 00D7487F

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID: \V(m$\V(m
API String ID: 0-451669857
Opcode ID: 37ee01560c57a741b6cb47a8275140f5df69c7f02cbbd2eba0f5bcdfaab4fd11
Instruction ID: dff9ea17883e634428720453eea482d198815621ae429a98e75b14d9f76066a6
Opcode Fuzzy Hash: 37ee01560c57a741b6cb47a8275140f5df69c7f02cbbd2eba0f5bcdfaab4fd11
Instruction Fuzzy Hash: 7A715C70E00249CFDB15DFA9C88179EBBF2AF88714F18C129E419A7254EB749845CFA5

Function 00D74804 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V(m, xrefs: 00D749D2
\V(m, xrefs: 00D7487F

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID: \V(m$\V(m
API String ID: 0-451669857
Opcode ID: 80a2bbb29e30b84dd3073758115e62d6b0af6b011b34ed8e4ed22bca1f36d38e
Instruction ID: 06eb126fbcae78a2d8b19a6c9755e90856f4d76fda57811bd74e4cbe20426955
Opcode Fuzzy Hash: 80a2bbb29e30b84dd3073758115e62d6b0af6b011b34ed8e4ed22bca1f36d38e
Instruction Fuzzy Hash: 48715C70E00249DFDB15CFA9C8817DEBBF1AF88714F18C129E419AB254EB749845CFA5

Function 06308EE0 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9ed24972e4903c091abaf2d614b51bbed58f08aaf5490260f23abebbe03ae8
Instruction ID: c2470050c8098e005ea43abb3f5ad0908a1cc5e014cc7deedad5cfd1364b761c
Opcode Fuzzy Hash: eb9ed24972e4903c091abaf2d614b51bbed58f08aaf5490260f23abebbe03ae8
Instruction Fuzzy Hash: 4A415532E043998FDB10DFB9D8102EEBBF5AFCA310F14856AD548A7281DB349849CBD0

Function 063086A8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,06308F32), ref: 0630901F

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: cde88b6f3c94058b75ef722a1344bfa09b387fa6a4942f5d5f96acd42e07cf81
Instruction ID: e7228aeecdbc798698472415765e0d1369d6a096e36274f85589a087dc00e986
Opcode Fuzzy Hash: cde88b6f3c94058b75ef722a1344bfa09b387fa6a4942f5d5f96acd42e07cf81
Instruction Fuzzy Hash: 691136B1C046599BDB10DF9AC44479EFBF4AB48310F10812AE818A7241D378A944CFE5

Function 06308FB1 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,06308F32), ref: 0630901F

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b6904dcdb6679faab0060538e1a55c75b782bfdf7109393c5123e2627dfa2f17
Instruction ID: 1d6672fef733a9ad7692c8675edb32c9fd75d6dbb1789d0346c871a8758f202d
Opcode Fuzzy Hash: b6904dcdb6679faab0060538e1a55c75b782bfdf7109393c5123e2627dfa2f17
Instruction Fuzzy Hash: A81117B1C0465A9FDB10DF9AC4447DEFBF4AF48310F14816AD418A7241D378A944CFE5

Function 0630DE4C Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0630F8B6

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 24f1063298dcd582f597e6dadc5bb378fc22039a9e6fe97aa9399b880fbca914
Instruction ID: 9ff51e8276e44f05305015b136a1ca54aa7b6b8868712b36cd5206f676de993f
Opcode Fuzzy Hash: 24f1063298dcd582f597e6dadc5bb378fc22039a9e6fe97aa9399b880fbca914
Instruction Fuzzy Hash: C8111FB6C006498BEB20CF9AC444ADEBBF4EB89210F10842AD829B7250C375A549CFA4

Function 0630F84A Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0630F8B6

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e7a95d0f580b07794128f29fb05bb82ef30f629cbecf18ad6f72b079a0669864
Instruction ID: eb38db59c4d87294ca8ca472008ce7f18afbe86b9d217188a8074a4cc36eb714
Opcode Fuzzy Hash: e7a95d0f580b07794128f29fb05bb82ef30f629cbecf18ad6f72b079a0669864
Instruction Fuzzy Hash: 631102B6C006498FDB20DF9AD844ADEFBF8EB89314F10841AD869B7250C375A549CFA1

Function 00D73E76 Relevance: 1.5, Strings: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\V(m, xrefs: 00D740CB

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID: \V(m
API String ID: 0-2800782923
Opcode ID: db686167af62d6560643ad1be09dcc113f58d7f0ac94ec7f42ac2710faf177af
Instruction ID: b2a42b10aecd382bba775faf1f39ae2c253ef34a6a20827cbc989628d53cd55d
Opcode Fuzzy Hash: db686167af62d6560643ad1be09dcc113f58d7f0ac94ec7f42ac2710faf177af
Instruction Fuzzy Hash: BB915C70E00309CFDB11DFA8C8857DDFBF1AF88354F188129E819A7294EB749985CBA1

Function 00D78351 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c97bed49b7773080c4806bfe4f02e846aa0185aea1bcd85ca3792c9ae8345c5
Instruction ID: 1f356a6dcd47b392988d7edfaeac92ef3c718b250e7f03dc6935b74988c19637
Opcode Fuzzy Hash: 8c97bed49b7773080c4806bfe4f02e846aa0185aea1bcd85ca3792c9ae8345c5
Instruction Fuzzy Hash: FFA19371700202CBFF1AAB68E45421D73B2EBCA345F14892DE60ACB345DE79ED879791

Function 00D78360 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38f72d0d367e8667103d4925c60b39b4e1c78c1546bcc121a889ca20563a4a7
Instruction ID: 610d93f7fd5354db174c6e669b265d56b63fead5361322e9be80112605c8b973
Opcode Fuzzy Hash: f38f72d0d367e8667103d4925c60b39b4e1c78c1546bcc121a889ca20563a4a7
Instruction Fuzzy Hash: 3CA19470700206CBFF19AB78E45421D73A2EBCA345F14892DE60ACB345DE79ED879791

Function 00D74A8E Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b214642bf701cb8321f8b95c78f2ce78ac8f8a0febcd3f61f6e62478f211cf
Instruction ID: dfe96fb3e4029dc3ad78c99141b3a35a2fe1bc922e655824815175bb2bb1d675
Opcode Fuzzy Hash: f6b214642bf701cb8321f8b95c78f2ce78ac8f8a0febcd3f61f6e62478f211cf
Instruction Fuzzy Hash: 7AA13E70E002198FDB22CFA8D8857DDBBF1AF48754F18C129D459E7294FB749845CBA1

Function 00D799BC Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdf4d1a0825157b57807a939c984c0fbdf6d066783a4ff35577d60ee0498d6d
Instruction ID: 390aaea99e46592e1f203fe2aa0212ef8cebc753b983bae0171cc4a4d963fd03
Opcode Fuzzy Hash: 9cdf4d1a0825157b57807a939c984c0fbdf6d066783a4ff35577d60ee0498d6d
Instruction Fuzzy Hash: 65915D35A001049FDF15DF68D5A4AADBBF2EF88310F248569E90AE7355EB34ED42CB50

Function 00D76ED8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530e6c9db7032d2be671c1c6139228e9e74d68df24f434783d2e553e16b1827c
Instruction ID: 80f7ed0b5718fa617686d61fe3e282c009718fcdd73e7fe27afa223c8b2db605
Opcode Fuzzy Hash: 530e6c9db7032d2be671c1c6139228e9e74d68df24f434783d2e553e16b1827c
Instruction Fuzzy Hash: 5D516E34704614CFDB15EB68D454AAD7BB2EF89700F248469E40AEB3A1EB75DC41CBA1

Function 00D77D2C Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0158913a57347dc138725f45c313530befdbba2e2ee0ae78f3fc4e2bf52f79
Instruction ID: ff50b516b626f8d2d6450b2d5f9a57de752f5debda43f49970422625e1c388c1
Opcode Fuzzy Hash: 7e0158913a57347dc138725f45c313530befdbba2e2ee0ae78f3fc4e2bf52f79
Instruction Fuzzy Hash: 98316270E1424A9BEB15CF64C9547AEB7B2EF96700F258869F406EB350EB749C42CB60

Function 00D76CE2 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b13e7e734f03b8cf792bc3df7259de9c765bb82a7ead7f5c4f23aa95ccf2e40
Instruction ID: 05bf3b1fc733bc2fd8afeed9961ef7285e1a2f0a1b3b7577768a9a9a85dacab5
Opcode Fuzzy Hash: 0b13e7e734f03b8cf792bc3df7259de9c765bb82a7ead7f5c4f23aa95ccf2e40
Instruction Fuzzy Hash: 6C51F375E106588FDB24CFA9C894BADBBB1BF48310F18C129E819BB391E7749844CF65

Function 00D76CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988b05397ce1cd5fc5cc7d70fa2914df79ad013e01347410e17800c524743183
Instruction ID: 60e538631ed1decee5d0802fca0749afe3d715d857517d5c6c2379195635a5dc
Opcode Fuzzy Hash: 988b05397ce1cd5fc5cc7d70fa2914df79ad013e01347410e17800c524743183
Instruction Fuzzy Hash: BB510575E106198FDB14CFA9C884B9DBBB1BF48310F18C519E819BB351E774A844CFA5

Function 00D71138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be9e54c1e9c59ce9245e8c4538d1241929eb669d1d3653ebb8c5ff9d6766ce
Instruction ID: 3254615801fd428e6f66e9ed147a9b1ba469ce3f867298527ba8f1a9a2e66f4d
Opcode Fuzzy Hash: c5be9e54c1e9c59ce9245e8c4538d1241929eb669d1d3653ebb8c5ff9d6766ce
Instruction Fuzzy Hash: BF51EB31211386CFE70EFF68FC90A557FA1F7A9304304D969D2144B27ADBE86986CB90

Function 00D7FA5D Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62df7ffc833e20d69675483ea79d3be719055429985da28caad29c54a56931f
Instruction ID: dfc0dd14bde4f5eb82b183437f119604392cc277f42bc425ac425c559393284e
Opcode Fuzzy Hash: d62df7ffc833e20d69675483ea79d3be719055429985da28caad29c54a56931f
Instruction Fuzzy Hash: 0631AE317002058FDB15AB74D564A6E7BB3AF89700F248479D40ADB385EE35DC06C7A0

Function 00D7FA70 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18297f294f5f6f29cb6e9d652dc6975989f58aae7a8ce69ca2553a45c0af36c8
Instruction ID: 1295e4cf90c87b2c15eb527d4dad5cbfa75fc894d51d24c1d3e9c233e9a21c4b
Opcode Fuzzy Hash: 18297f294f5f6f29cb6e9d652dc6975989f58aae7a8ce69ca2553a45c0af36c8
Instruction Fuzzy Hash: 4B316D317002068FDB64AB74D564A6F7BB3AB89700B248478D50ADB395EE35DC46CBA1

Function 00D77D98 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e523f7a60714b4a4a73a5a3c830e12c10110b8d76372b738532cde708fe03184
Instruction ID: e16f82e19df32264f6184e15362fc64eceb1f5e2347506379c15519054c59dda
Opcode Fuzzy Hash: e523f7a60714b4a4a73a5a3c830e12c10110b8d76372b738532cde708fe03184
Instruction Fuzzy Hash: 8D315031E14209DBEB15DFA4D9547AEB7B1EF85310F248865F509E7250E7709C81CBA1

Function 00D7F921 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6bcb3db2bcc1723f4d25dba6a775760e97fd7635c63fa4c65e6a311563c9466
Instruction ID: 7cee502c2ec3b4e525a29f444be05858b39d543488c12475add7d07c59ee100a
Opcode Fuzzy Hash: c6bcb3db2bcc1723f4d25dba6a775760e97fd7635c63fa4c65e6a311563c9466
Instruction Fuzzy Hash: 6F313D35B002469BDB25DF68D89469EB7F2EF89310F14C529E90AE7350EB74EC468B50

Function 00D726DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678dc4ceecb31be0deac2507fb5cbf030dbed3b9cbd2d084ed0ff2e6e39bbe0b
Instruction ID: e6a86e8abc8a20355e1fea4d47b5935cee15b7eb53c3e0ac592e54d4d87588fb
Opcode Fuzzy Hash: 678dc4ceecb31be0deac2507fb5cbf030dbed3b9cbd2d084ed0ff2e6e39bbe0b
Instruction Fuzzy Hash: 7041D1B1D00349DFEB14DFA9C584AAEBBF5FF48314F248029E419AB250DB759945CF90

Function 00D7F930 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edaeab0cfe903c944a46b7c7b8d6d511fc42be05a6bce310929506065f3eaf4
Instruction ID: 8f579c23ba5d1ce53ea909eb612e0ef2453935470ff8af1fd772be6b7779d243
Opcode Fuzzy Hash: 1edaeab0cfe903c944a46b7c7b8d6d511fc42be05a6bce310929506065f3eaf4
Instruction Fuzzy Hash: D4314E35F002059BDB29CF69D85469EB7B2EF89300F14C529E94AE7350EB70EC46CB60

Function 00D75098 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd5402af19b804fe075901e30dc69715969ddab70c459837cce017a1d2c0a15
Instruction ID: ed119be9d558bc397b78a764d2b9218b8c626129178c80686c5c3059b35a795c
Opcode Fuzzy Hash: ebd5402af19b804fe075901e30dc69715969ddab70c459837cce017a1d2c0a15
Instruction Fuzzy Hash: 6E319E34A00704CFCB18EB34D9547AD77B2AF48345F1084A8D805AB399EBBACC42CBA1

Function 00D726E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103d5d282a0f0157dcc20e4807da54d4ad0ec8ecfbc4029edd7423c5c5d80997
Instruction ID: c9a9d8b459caedd5d3cb3ee70fb7b2af45252a8666d8b16fc7c0c0711eefb795
Opcode Fuzzy Hash: 103d5d282a0f0157dcc20e4807da54d4ad0ec8ecfbc4029edd7423c5c5d80997
Instruction Fuzzy Hash: 2741E1B0D00349DFDB14DFA9C580ADEBBF5FF48710F248029E419AB250EB759945CB90

Function 00D750A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06265b1a56addf2c5e718ff5ccb125308604e33190d0d35a5efdadd8244ce0ec
Instruction ID: 8c1a0eb3484b31c5772a92c52070b8b125b7181949576e2a05af8bda39ab7e17
Opcode Fuzzy Hash: 06265b1a56addf2c5e718ff5ccb125308604e33190d0d35a5efdadd8244ce0ec
Instruction Fuzzy Hash: 10317C34A00715CFDB18EB34D9146AD77F2AF48301F5084A8D809AB399EF7ADC41CBA2

Function 00D798A8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d5e2874eb2525d32fa49f4f3102deb36095e37a512ad038a97cdb8b3fe31c3
Instruction ID: 660c779998867cd9a904f7651f453763d22dc7efd81112c651bdd7c09b3fa93b
Opcode Fuzzy Hash: 87d5e2874eb2525d32fa49f4f3102deb36095e37a512ad038a97cdb8b3fe31c3
Instruction Fuzzy Hash: 8B31BF76E002468BEB15CF64C8A06DEF7B2EF89300F14C619E919AB340EB71DC46CB90

Function 00D716A0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010d62079d6ff1ddc853ace1de1d9b3cab3c305b1a78ff92c07311de7b7ea9fb
Instruction ID: 475800fa43244b39dd911b6a489313f7d6a8b791f0adc32694b30f2e858d873b
Opcode Fuzzy Hash: 010d62079d6ff1ddc853ace1de1d9b3cab3c305b1a78ff92c07311de7b7ea9fb
Instruction Fuzzy Hash: 10312B386002428FEF16EB3CE84876D7B55E755340F18DB69D00ACB366E6A4CC86CBA1

Function 00D717C0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ff5f34da575a2a2b607911651d15e36d1d103a74f5a1348626edb2a9afdbd2
Instruction ID: 08902c39b9efe90e070290f0b18cd8a9633211f50cc00e95e4cb4303fd81eb84
Opcode Fuzzy Hash: 38ff5f34da575a2a2b607911651d15e36d1d103a74f5a1348626edb2a9afdbd2
Instruction Fuzzy Hash: 8421F975F012129FDF14AB7C980476E77A5FB58361F148925E90AC7342FA74C8428BA1

Function 00D798B8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f4c4c03bbaa2bb6dd9acdc5ad0d6e50a9c0cd8c61d349a488dc1dfa2303fb8
Instruction ID: fb48aff91ddd7161ba0531c7ff5204cd7313fe32cec9fe5675c2c523b5f17f2d
Opcode Fuzzy Hash: f5f4c4c03bbaa2bb6dd9acdc5ad0d6e50a9c0cd8c61d349a488dc1dfa2303fb8
Instruction Fuzzy Hash: A2216275E002469BEB15CF64C56069EF7B2EF89300F14C619E919EB340EB71DC46CB50

Function 00D7148A Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcee0c12f2546e85886978edf794dff92132db997e986a99651398911a03494
Instruction ID: 59295069e32c42f83a6c70a70806b93d7beb9ea01ccfd6cfaae5443ca24b5c63
Opcode Fuzzy Hash: 1dcee0c12f2546e85886978edf794dff92132db997e986a99651398911a03494
Instruction Fuzzy Hash: A421AE75A013158FDB25AF7C84402ADBBB5EB85314F28817AE80DDB241F635DC428BB1

Function 00D797A9 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd32da6326ea4c0741567a35a81093225aa5dda8295ae7e4fe4aea0cc0a6859d
Instruction ID: 3f0bd20229483454da1b119af7ca95c76cbffe557b7b5bdb8f3f08b8e2da6478
Opcode Fuzzy Hash: dd32da6326ea4c0741567a35a81093225aa5dda8295ae7e4fe4aea0cc0a6859d
Instruction Fuzzy Hash: 76214436E002059BDB18CFA4D4506DEF7B2EF99710F24C529F815BB750EB709946CB61

Function 00D7A098 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ac18a088384d697ce2e5ca47bdba48496e959ffa3db1fb47d3d6513f16078f2
Instruction ID: 3b6c6e3a484714e5c2a6a9a8d2dfa00d3eb1538b3da63256111fd65b141b211c
Opcode Fuzzy Hash: 9ac18a088384d697ce2e5ca47bdba48496e959ffa3db1fb47d3d6513f16078f2
Instruction Fuzzy Hash: A4218631B002148FEB14DB6CC955BAE7BF5EF88710F148165E909EB3A4EA71DC008BA1

Function 00D7A094 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db930aa555c2d2b58559f48210250a9abc03b3a92165f47719952a5ed8a07499
Instruction ID: a501ffd8c8ef6e2f6a7e572343f0baa7f60112a8879bfd8224470532c4cffa09
Opcode Fuzzy Hash: db930aa555c2d2b58559f48210250a9abc03b3a92165f47719952a5ed8a07499
Instruction Fuzzy Hash: F721D431B002148FEB14DB6CC855BAE7BF6FF88710F148065E509EB3A0EA71CD008BA1

Function 00A7D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562141926.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c7d183cca62c0dd13dc010c2b7fe699596017c699432e2d7ab4a25b6b61dcc
Instruction ID: 82cf17af4b13996e034d57ec955dabdd2caa43aa0698d1e83da32fd34afa29f7
Opcode Fuzzy Hash: 50c7d183cca62c0dd13dc010c2b7fe699596017c699432e2d7ab4a25b6b61dcc
Instruction Fuzzy Hash: FC21DE71604204EFDB14DF14DD80B26BBB5FF84318F24CA6DE90E4A296C37AD847CA62

Function 00D74F88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 806523f9a6a6acb4d71975f038fce4694cce9104703113338e3166fa1cff2795
Instruction ID: 9fe2ae1185fe4482bd1d3f77fc1b18e3cd4e6bcf7d297c7525017b41399a8fc2
Opcode Fuzzy Hash: 806523f9a6a6acb4d71975f038fce4694cce9104703113338e3166fa1cff2795
Instruction Fuzzy Hash: B7214B34700204CFCB54DB78D558AAD77F1AF89304B2444A8E50AEB3A5EB769C05CBA1

Function 00D71878 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e635060c6f87b8b1d6300b011da059f112440645059a0f4bf66d04f2a4090bf5
Instruction ID: 1bdb7d9eca9fead8b36bf7bd252b7c485b5b677e1191c5315de7cbb297b8c987
Opcode Fuzzy Hash: e635060c6f87b8b1d6300b011da059f112440645059a0f4bf66d04f2a4090bf5
Instruction Fuzzy Hash: 87218134B00205CFDB14EB68C5647AD77F5AB49305F248568D60AEB391EB358C45CBB1

Function 00D71380 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5b079846528e92a6ff73bf4272a8f701a28244f593b7430cee664fbb40abe0
Instruction ID: d04e914b8e5072501a0d118eed557b4160e2ebf7b20d151087dd6fc8b737215f
Opcode Fuzzy Hash: dd5b079846528e92a6ff73bf4272a8f701a28244f593b7430cee664fbb40abe0
Instruction Fuzzy Hash: 1A21D378A012418FFF365B7CD44836C7B61EB12319F189A29E50EC7391EA69CCC5CB62

Function 00D797B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5bac92764c3bf4bbd332d7eecd8d1cfa7b123b02d80c50436d1ab3b4dd4cf6
Instruction ID: 2a7cb7d81d751959ad2a576505021e8c1a37cb58959c71819e4c405ee0a80613
Opcode Fuzzy Hash: 0e5bac92764c3bf4bbd332d7eecd8d1cfa7b123b02d80c50436d1ab3b4dd4cf6
Instruction Fuzzy Hash: 09212F31E106199BDB18CFA5C85069EF7B6AF89310F24C52AE819BB350EB70A845CB61

Function 00D71888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f301d91928888601cfba306644b46418c1befca56972584eee4e932a87a1dd
Instruction ID: e2fea2646eed9567d3a0a4fbfde468c1443eeedc33da358e332da018466ae1dc
Opcode Fuzzy Hash: b9f301d91928888601cfba306644b46418c1befca56972584eee4e932a87a1dd
Instruction Fuzzy Hash: BF216038B00209CFDB14EB68C5647AE77F6AF49305F248568D50AEB391EB358D41CBB1

Function 00D76BA0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d38e6b6279e5d12fcdaacfe987005db50172f6cf602677b3280c4d378dcea2
Instruction ID: cfd71e625078868eb2d95719e5fc0eeb7482968c5df6589ae38454d2d195c853
Opcode Fuzzy Hash: c0d38e6b6279e5d12fcdaacfe987005db50172f6cf602677b3280c4d378dcea2
Instruction Fuzzy Hash: 272105717041855FC71AAB7994603AE7BB2EFC6300F1485ADD149CB386EE758C46CB91

Function 00D716B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa00ba905b75168ae536d530a7a09b437258599bb644340beec54d50b259250
Instruction ID: 251b5df7a5ac72c3051090f5f0ce458739ab39dee5ee8fb7571222aa25184cd6
Opcode Fuzzy Hash: 7fa00ba905b75168ae536d530a7a09b437258599bb644340beec54d50b259250
Instruction Fuzzy Hash: 5F216338600202CFEF2AEB3CE88475D7756E745354F14EA25D10ACB365EAB8DC858BA1

Function 00D74F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4476581b6a8ecb1104167a7cb83a0f6705a0b24da0892e5cd58f6a9fb31cb8e3
Instruction ID: ddd0cf3df25a33054d688da40dceff62ebc79d8151be5a34a96b16b027079d2b
Opcode Fuzzy Hash: 4476581b6a8ecb1104167a7cb83a0f6705a0b24da0892e5cd58f6a9fb31cb8e3
Instruction Fuzzy Hash: D621E934700205CFCB54DB78D958AAD77F1EF8D304B208468E50AEB3A5EB769D05CBA1

Function 00D70848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2615dcb2f9f6c3de94db374e1f7498bea29788ff49a98f3a650c5be7c36f3fb2
Instruction ID: 81e876748c461a059e789032b0e5148bc3cb8fe50f8cae9de63164acfb798681
Opcode Fuzzy Hash: 2615dcb2f9f6c3de94db374e1f7498bea29788ff49a98f3a650c5be7c36f3fb2
Instruction Fuzzy Hash: 74114F30B00209CFEF15BB79D8147697A55EB45354F28CA3AD50ACB3D5EA25CC818BE2

Function 00D70838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de72c1350244ce7d84108edd7d0bac5d448da8ff911589d0306b21ba0199075b
Instruction ID: 6a36f1c89e4e06af2c85c4deeca5206a6dc5c6a9cfa98008a2eae4392681a123
Opcode Fuzzy Hash: de72c1350244ce7d84108edd7d0bac5d448da8ff911589d0306b21ba0199075b
Instruction Fuzzy Hash: 5C11E370B00209CFEF256B75D8107793A61E785354F28CA3ED54ACB2C1FA20CD824BE2

Function 00A7D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562141926.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: 11e2eb634e27dd3a0a2657522aa5709cc9163f6592ec6c81524b4e444815fd69
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: B5118B75504284DFCB15CF14D9C4B15BBB1FB84318F28C6AAD84A4B656C33AD84BCB62

Function 00D71498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badafbc1381a6e392d19af34593cdd2fdd18b668ba0acf5506d1e5e05e35451f
Instruction ID: c1ea9cc70182f334693a4106def516bddbc3c85b6bd05452c0c02d758cf4cee7
Opcode Fuzzy Hash: badafbc1381a6e392d19af34593cdd2fdd18b668ba0acf5506d1e5e05e35451f
Instruction Fuzzy Hash: 9B016D35A002159FCF25EFB884411AEBBF9EF88310B288579E809E7241F635D9418BB5

Function 00D79EF0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7126f1d061cded30273955c581291e93490ca998455b77f3cfa8c39c0985d47
Instruction ID: a276fa10bba9341ba317c43106063806e8ea1920dc86dc2da9d116ab177eb293
Opcode Fuzzy Hash: c7126f1d061cded30273955c581291e93490ca998455b77f3cfa8c39c0985d47
Instruction Fuzzy Hash: A0110431A002058FDB10EF69D954B8AFBA6EF91310F14C164D90C5F39AEB70ED06CBA1

Function 00D79F00 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526b11b2b3784b554648d170cd76990812f01e40da94a42835212253ea8e74ba
Instruction ID: 30f84ce09c46de90ec96ffea20ce668a5717c8854eca5c72719c05935bd58d66
Opcode Fuzzy Hash: 526b11b2b3784b554648d170cd76990812f01e40da94a42835212253ea8e74ba
Instruction Fuzzy Hash: 7801F131A002058FDF10EF69D980B8AFBA6EF80310F54C224D80C5B35AEB70ED46CBA0

Function 00D77EB0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe74f52be5df0feddb953461c5709735f899c5da50491600b63fabf7f25a34f
Instruction ID: 114641c9998e7c2e8c111a1a068ce33ff080ffe32edcb99a155ff11fb11bf1d1
Opcode Fuzzy Hash: 5fe74f52be5df0feddb953461c5709735f899c5da50491600b63fabf7f25a34f
Instruction Fuzzy Hash: 43014835A411448FD714DBB4D9ACBAC77B2EF89315F1488A8E50AAB3A0DB749C82CF51

Function 00D78748 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67789c4b1215282b401a63863cb6d08270ff39c11ccef1b86b07554287ad4e5
Instruction ID: edf6c9558a62f3821459a4370de934bf150cec95d0d5e0168295f114aca4ad3e
Opcode Fuzzy Hash: f67789c4b1215282b401a63863cb6d08270ff39c11ccef1b86b07554287ad4e5
Instruction Fuzzy Hash: 81016270A0120AEFEB09FFB4E94079CBBB1EB80304F1096ACC20567355EE759F469B80

Function 00D78758 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e404c74978b38d1245a630d6ce99dd916332ea12d21c690cd9e24ba5bdf8c8d8
Instruction ID: b1dbac6e26acf83e64619f305d8efbebf4423ec483f34036874f4204427fe8da
Opcode Fuzzy Hash: e404c74978b38d1245a630d6ce99dd916332ea12d21c690cd9e24ba5bdf8c8d8
Instruction Fuzzy Hash: AAF03C34A0020AEFEB05FFB8E94069DBBB5EB80304F1096ACC10497355EA71AF469B81

Function 00D77F1C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e33fb56c0f0d8fdae3f08854aaa2c2b7c095e36c4b07d91be4b3b8da85cbac
Instruction ID: fbe46b777b5c8271cd9f13733f4dd732d50ec1411877f86ea4d65fe3094fab6a
Opcode Fuzzy Hash: d1e33fb56c0f0d8fdae3f08854aaa2c2b7c095e36c4b07d91be4b3b8da85cbac
Instruction Fuzzy Hash: 28C08C3590804886DB209698B9482ECBB20CBC1322F0444DAC24C9001093A000E5EAB2

Non-executed Functions

Function 00D741C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V(m, xrefs: 00D7447F

Memory Dump Source

Source File: 00000000.00000002.4562677539.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d70000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID: \V(m
API String ID: 0-2800782923
Opcode ID: abbd9f6f4fa87a651c674e73e7ee99a29e0ac11b26a4690f7d93a0804b1bf4fa
Instruction ID: d9b8aef215477b6d01d82dcbca5bbe385e1254b786cb720a864ff7e528bd4c47
Opcode Fuzzy Hash: abbd9f6f4fa87a651c674e73e7ee99a29e0ac11b26a4690f7d93a0804b1bf4fa
Instruction Fuzzy Hash: 7CB14F70E00219CFDF15CFA9C8857AEBBF2BF88714F18C129E419A7294EB749845CB65

Function 063051A0 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8a33744ce8c237d253e29ca240e760efb5c042ec79d492456f8b4efa668cbe
Instruction ID: 3fbbc87b7f5eefa4a0e72762222cf1e34ca1e0935c5fbea713e43715f178a4e4
Opcode Fuzzy Hash: 5e8a33744ce8c237d253e29ca240e760efb5c042ec79d492456f8b4efa668cbe
Instruction Fuzzy Hash: 36124E30E01219CFEB64DF65C954A9EB7B2BF88710F208569D50AAB395EB30DD85CF90

Function 06303AE8 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed5188bda2855dcdbee45dfdae90a2d00bc33fa59ca2bc9343d23a5c5d67f55
Instruction ID: 73ce768866d5f5ddfec1b53e906338f5b73133c9184d619db5db5c89528ac6ed
Opcode Fuzzy Hash: 0ed5188bda2855dcdbee45dfdae90a2d00bc33fa59ca2bc9343d23a5c5d67f55
Instruction Fuzzy Hash: B5E1D231F101158FEB64DB68D4A4AAEBBF6EF89310F21846AE406DB391DA31DC49C7D1

Function 06305871 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4564808822.0000000006300000.00000040.00000800.00020000.00000000.sdmp, Offset: 06300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6300000_VG0x1LZCFb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c79239ead58b5d7bd4bfcad29b0afcca83c5ecafbbb8822d91683ce5d70b99
Instruction ID: ac71af9d66809fdd7e9abaf0825ca2344bf115b2e415bf735c1393e5872c2ae9
Opcode Fuzzy Hash: 10c79239ead58b5d7bd4bfcad29b0afcca83c5ecafbbb8822d91683ce5d70b99
Instruction Fuzzy Hash: 57A13B30A11209CBEB64DF64D5A4AAEB7B6EF84310F24C529D406DB395DB74DC8ACB90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VG0x1LZCFb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
VG0x1LZCFb.exe

Function 06A137A0 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Function 063033A0 Relevance: 1.8, Strings: 1, Instructions: 598
COMMON

Function 00D73E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Function 00D74810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Function 00D74804 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Function 06308EE0 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Function 063086A8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 06308FB1 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 0630DE4C Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 0630F84A Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 00D73E76 Relevance: 1.5, Strings: 1, Instructions: 235
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre