Edit tour

Windows Analysis Report
dekont_20240423_388993774837743.exe

Overview

General Information

Sample name:	dekont_20240423_388993774837743.exe
Analysis ID:	1430776
MD5:	81a9abf49104df646db709f0365f8eeb
SHA1:	fc69c4c2b1b74b7a9773f1824eb0cce589bdd673
SHA256:	a11d36f9f4b69fd1e6c13584455e6270fd906530ad6e034d67927c16cbc76586
Tags:	AgentTeslaexegeoTUR
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

dekont_20240423_388993774837743.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\dekont_20240423_388993774837743.exe" MD5: 81A9ABF49104DF646DB709F0365F8EEB)

conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AddInProcess32.exe (PID: 6048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 6208 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

WerFault.exe (PID: 5488 cmdline: C:\Windows\system32\WerFault.exe -u -p 6492 -s 1072 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.hatiplertekstil.com", "Username": "info@hatiplertekstil.com", "Password": "htpl102030"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3687524877.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3687524877.00000000032D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.3687524877.0000000003281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3687524877.0000000003281000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6048	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33519:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3358b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33615:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33711:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33783:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33819:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31719:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3178b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31815:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31911:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31983:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a19:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31aa9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31719:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3178b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31815:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31911:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31983:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a19:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31aa9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33519:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3358b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33615:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33711:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33783:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33819:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33519:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df61:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3358b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfd3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33615:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e05d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33711:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e159:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33783:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33819:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e261:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 93.190.220.113, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 6048, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701

Snort Signatures

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.7 - Destination IP: 93.190.220.113

Timestamp:	04/24/24-07:11:12.310296
SID:	2839723
Source Port:	49701
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.7 - Destination IP: 93.190.220.113

Timestamp:	04/24/24-07:11:12.310296
SID:	2030171
Source Port:	49701
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.hatiplertekstil.com", "Username": "info@hatiplertekstil.com", "Password": "htpl102030"}

Multi AV Scanner detection for submitted file

Source: dekont_20240423_388993774837743.exe

Virustotal: Detection: 15%

Perma Link

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492, type: MEMORYSTR

Source: dekont_20240423_388993774837743.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdbP source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC9B9.tmp.dmp.7.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49701 -> 93.190.220.113:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.7:49701 -> 93.190.220.113:587

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 93.190.220.113:587

Source: Joe Sandbox View

ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 93.190.220.113:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.hatiplertekstil.com

Source: AddInProcess32.exe, 00000003.00000002.3687524877.00000000032D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hatiplertekstil.com
Source: AddInProcess32.exe, 00000003.00000002.3687524877.00000000032D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.hatiplertekstil.com
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, cPKWk.cs	.Net Code: XNl
Source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack, cPKWk.cs	.Net Code: XNl

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCD1D88	0_2_00007FFAACCD1D88
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCD9530	0_2_00007FFAACCD9530
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCC29A1	0_2_00007FFAACCC29A1
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCD9911	0_2_00007FFAACCD9911
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCC4309	0_2_00007FFAACCC4309
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCDC4AD	0_2_00007FFAACCDC4AD
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCCEBF8	0_2_00007FFAACCCEBF8
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCC8549	0_2_00007FFAACCC8549
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCCCE19	0_2_00007FFAACCCCE19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_014EB428	3_2_014EB428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_014E4A98	3_2_014E4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_014E3E80	3_2_014E3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_014ECEA0	3_2_014ECEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_014E41C8	3_2_014E41C8

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6492 -s 1072

Source: dekont_20240423_388993774837743.exe

Static PE information: No import functions for PE file found

Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename062b9119-36a6-4a73-aaab-1d995e56a298.exe4 vs dekont_20240423_388993774837743.exe
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAyigiduxohL vs dekont_20240423_388993774837743.exe
Source: dekont_20240423_388993774837743.exe, 00000000.00000000.1219116336.000001EA0E566000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameApikonedatitazaqasitF vs dekont_20240423_388993774837743.exe
Source: dekont_20240423_388993774837743.exe	Binary or memory string: OriginalFilenameApikonedatitazaqasitF vs dekont_20240423_388993774837743.exe

Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: dekont_20240423_388993774837743.exe, GetDirectoriesgetCurrentManagedThreadId.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@7/5@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\44b95598-dd43-4b94-9681-3e96a420ba40

Jump to behavior

Source: dekont_20240423_388993774837743.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: dekont_20240423_388993774837743.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dekont_20240423_388993774837743.exe

Virustotal: Detection: 15%

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

File read: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe "C:\Users\user\Desktop\dekont_20240423_388993774837743.exe"
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6492 -s 1072
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: dekont_20240423_388993774837743.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dekont_20240423_388993774837743.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: dekont_20240423_388993774837743.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdbP source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERC9B9.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC9B9.tmp.dmp.7.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: dekont_20240423_388993774837743.exe, ContextShiftRightLogical128BitLane.cs	.Net Code: MoveLowToHighOAVariantLib
Source: dekont_20240423_388993774837743.exe, ContextShiftRightLogical128BitLane.cs	.Net Code: GetPrimeGetPreamble
Source: dekont_20240423_388993774837743.exe, ContextShiftRightLogical128BitLane.cs	.Net Code: Base64UnmanagedToManagedRef

Source: dekont_20240423_388993774837743.exe

Static PE information: 0x9EA20D34 [Sun May 3 11:25:40 2054 UTC]

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACCD85DC push edx; retf 0007h	0_2_00007FFAACCD8614
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACDB1081 push eax; retf	0_2_00007FFAACDB13E1
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Code function: 0_2_00007FFAACDB0121 push esp; retf 4810h	0_2_00007FFAACDB0312

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Memory allocated: 1EA0E790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Memory allocated: 1EA28340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 3190000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199614	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199489	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1197985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1197860	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2121			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 7719			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6440	Thread sleep count: 2121 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 6440	Thread sleep count: 7719 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -99010s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -98467s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -98350s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -98232s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -98120s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97693s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -96577s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1199922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1199797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1199614s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1199489s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1199360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1199235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1199110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1198985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1198860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1198735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1198610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1198485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1198360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1198235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1198110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1197985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5432	Thread sleep time: -1197860s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99010	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98467	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98350	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98232	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97693	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96577	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199614	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199489	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1199110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1198110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1197985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 1197860	Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 00000003.00000002.3692331829.0000000006600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: dekont_20240423_388993774837743.exe, 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: dekont_20240423_388993774837743.exe, GetDirectoriesgetCurrentManagedThreadId.cs	Reference to suspicious API methods: ((TypeInitializergetEncodedArgument)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(WriteAsyncd39AsDateTime(setTagsIValueTupleInternal.SystemX86buffers)), WriteAsyncd39AsDateTime(setTagsIValueTupleInternal.FirstChanceExceptionEventArgsSearchForTextOfTag)), typeof(TypeInitializergetEncodedArgument)))("Pointer", out var _)
Source: dekont_20240423_388993774837743.exe, GetDirectoriesgetCurrentManagedThreadId.cs	Reference to suspicious API methods: ((TypeInitializergetEncodedArgument)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(WriteAsyncd39AsDateTime(setTagsIValueTupleInternal.SystemX86buffers)), WriteAsyncd39AsDateTime(setTagsIValueTupleInternal.FirstChanceExceptionEventArgsSearchForTextOfTag)), typeof(TypeInitializergetEncodedArgument)))("Pointer", out var _)
Source: dekont_20240423_388993774837743.exe, GetDirectoriesgetCurrentManagedThreadId.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var MayCorruptInstanceAsByte)
Source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, Ljq6xD21ACX.cs	Reference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 10CC008	Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"			Jump to behavior
Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"			Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe	Queries volume information: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dekont_20240423_388993774837743.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3687524877.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3687524877.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3687524877.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6048, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3687524877.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6048, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea203bf788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dekont_20240423_388993774837743.exe.1ea20384d40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3687524877.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3687524877.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3687524877.0000000003281000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dekont_20240423_388993774837743.exe PID: 6492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6048, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	211 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	1 Credentials in Registry	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dekont_20240423_388993774837743.exe	8%	ReversingLabs	Win64.Infostealer.Generic
dekont_20240423_388993774837743.exe	16%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
hatiplertekstil.com	0%	Virustotal		Browse
mail.hatiplertekstil.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://mail.hatiplertekstil.com	0%	Avira URL Cloud	safe
http://hatiplertekstil.com	0%	Avira URL Cloud	safe
http://mail.hatiplertekstil.com	0%	Virustotal		Browse
http://hatiplertekstil.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hatiplertekstil.com	93.190.220.113	true	true	0%, Virustotal, Browse	unknown
mail.hatiplertekstil.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://hatiplertekstil.com	AddInProcess32.exe, 00000003.00000002.3687524877.00000000032D6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://account.dyn.com/	dekont_20240423_388993774837743.exe, 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://mail.hatiplertekstil.com	AddInProcess32.exe, 00000003.00000002.3687524877.00000000032D6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.190.220.113	hatiplertekstil.com	Turkey		60781	LEASEWEB-NL-AMS-01NetherlandsNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430776
Start date and time:	2024-04-24 07:10:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dekont_20240423_388993774837743.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@7/5@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 80% Number of executed functions: 58 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AddInProcess32.exe, PID 6048 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:11:07	API Interceptor	10842867x Sleep call for process: AddInProcess32.exe modified
07:11:22	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.190.220.113	20240417_28773667376643.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	89.149.222.197
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	95.211.112.23
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	83.149.84.137
	rc21AW1MZD.elf	Get hash	malicious	Mirai	Browse	85.17.43.9
	20240417_28773667376643.exe	Get hash	malicious	AgentTesla	Browse	93.190.220.113
	0d#Uff09.exe	Get hash	malicious	Unknown	Browse	5.79.122.22
	Dot_ Microsoft Password Expired Wednesday, January 24, 2024.eml	Get hash	malicious	Unknown	Browse	5.79.110.170
	Fw EDI IMPLANTACI#U00d3N .eml	Get hash	malicious	Unknown	Browse	212.32.229.214
	http://midjourney.co	Get hash	malicious	Unknown	Browse	81.171.31.78
	https://buizerdlaan-nieuwegein.nl/	Get hash	malicious	Unknown	Browse	185.71.61.14

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dekont_20240423__f29aed481361345eef85fedfd8f72632aa8e00_c74f1f47_6ea974dd-8f19-446a-b783-c735a24ea101\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0242652330054418
Encrypted:	false
SSDEEP:	192:UnvCkN60UnU1aWBHaZW1zuiFaZ24lO8bAxi1:ECkNBUnU1amHaEzuiFaY4lO8bui
MD5:	12871D09D9CAAB50783441E435E869CE
SHA1:	195E00A0C1A27DBDAF12BCDA8EEFDEF47B6CCB7E
SHA-256:	DB6526DA7ED4931FAF3B0F070013AAB4B204D7BEC3FB835D1DC34AC9CF181C39
SHA-512:	648522D58F38D3ACB7F1163C901CA2E64B8C85602CF58DC463F828D6382A47571D19D72FAD473FD58A31B6C56E2DC7C88BDC4CEFCE4E2D9849DCD13A55E8A6A1
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.0.9.0.6.6.6.0.9.6.3.2.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.0.9.0.6.7.6.7.2.1.2.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.a.9.7.4.d.d.-.8.f.1.9.-.4.4.6.a.-.b.7.8.3.-.c.7.3.5.a.2.4.e.a.1.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.7.b.5.2.f.d.-.a.6.8.f.-.4.7.4.c.-.b.5.2.4.-.6.4.9.2.0.e.9.9.6.5.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.d.e.k.o.n.t._.2.0.2.4.0.4.2.3._.3.8.8.9.9.3.7.7.4.8.3.7.7.4.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.p.i.k.o.n.e.d.a.t.i.t.a.z.a.q.a.s.i.t.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.c.-.0.0.0.1.-.0.0.1.4.-.f.c.5.d.-.5.c.c.e.0.5.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.e.f.d.5.c.0.b.2.5.2.2.9.2.f.5.3.4.f.4.b.8.f.c.4.f.4.8.b.9.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.c.6.9.c.4.c.2.b.1.b.7.4.b.7.a.9.7.7.3.f.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9B9.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Apr 24 05:11:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	432993
Entropy (8bit):	3.312663369203501
Encrypted:	false
SSDEEP:	3072:3Rta3RSHPj4CWAcScLwRh61CCqq3+v6VvGKlhd:BtaBaPjXcnqq3Qw
MD5:	1A3E5B60E7B7F7DFAAA8B8F2E3311503
SHA1:	676030795093BC8D82B990ABB02659D5FC37BC6E
SHA-256:	8AE8C4BBF0B02710BB010795BC2BE8454435EC37A0E9BA7EC8E23483EC4D49E8
SHA-512:	AA03B45C7CC229E240656E7FF1E94A4DEFB9685BE26955380AFD2B0F63DE519A4F7673AC2D7C41989DDA4368DAB8F3BEC462624B00FAEFFC22EA6D8B993A5F34
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......j.(f............D...............d.......$...d........ ...........N.............l.......8...........T...........h*...p...........=...........?..............................................................................eJ.......?......Lw......................T.......\...h.(f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB31.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8688
Entropy (8bit):	3.708212151909721
Encrypted:	false
SSDEEP:	192:R6l7wVeJ2Ts6YNQlhgmfLqeprQ89bQbGXf92jm:R6lXJ6s6YalhgmfLqWQbWfw6
MD5:	7393DC19D1516B55E19696C651439FFE
SHA1:	6085F8B1FDD05350E6CF41BFA1AC925BCE3FC3A4
SHA-256:	E3E8D064371616CEC5DAB727E0069B8880DEFE1B51782FD8AE8EA0FF5C263905
SHA-512:	CE280EC300F6E77E412475465D26A53B6783B6FE1D218BC86B47F645AFB85C6AB552029C26F99F3290E8C408B196116C617244CEC15742714148D725ADDF4353
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA0.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4873
Entropy (8bit):	4.5585680095231735
Encrypted:	false
SSDEEP:	48:cvIwWl8zspJg771I9gzWpW8VYqiYm8M4J+BbmAF5yq85CdXRnbtI0f0Vjd:uIjf7I7bC7V9LJ8Lnf8Vjd
MD5:	AA247E477652085048172DD3552E5F06
SHA1:	3F363D235E15D60ABC5105A129BF8A33C66111DC
SHA-256:	0E6DBE15AE014AD0E09938FAE779D0045AAEA0FCEB28EF22233A611667599FE4
SHA-512:	FA9D81F6A5E9B7EBE1A85E08880DC3F11B5EF0368A095072A1AB74F25C71939B1C6DFC8F036CFD22F4DBD9AF7C89568295677D6CFE8134E6ADDD34629DD14BFF
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293533" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417124616291026
Encrypted:	false
SSDEEP:	6144:Tcifpi6ceLPL9skLmb0mMSWSPtaJG8nAgex285i2MMhA20X4WABlGuNE5+:Ii58MSWIZBk2MM6AFBKo
MD5:	7FA3270985B9693795E0B88F44B16E26
SHA1:	7F7939988C53159C4A033452269252A79485C62A
SHA-256:	86C21BC9D9DB4623E25079AD4CBCAD0D3625F896A2D6EAF89CDE8C3263F1DB12
SHA-512:	58F3DF7525C8562523E37FCF6421A716EF4836D285BAD3E708D871C8E08D45833C0E1A86E0B82FDAC1C3C0DFF8419DD0F1AEF559BDD44992450F1986F91C1DFC
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....................................................................................................................................................................................................................................................................................................................................................%...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.423627489285167
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	dekont_20240423_388993774837743.exe
File size:	1'007'725 bytes
MD5:	81a9abf49104df646db709f0365f8eeb
SHA1:	fc69c4c2b1b74b7a9773f1824eb0cce589bdd673
SHA256:	a11d36f9f4b69fd1e6c13584455e6270fd906530ad6e034d67927c16cbc76586
SHA512:	c802671a311272799431db1ce2a20967919b2b3e0eb3b8a0a691fa181df831b98d9c77093c729eed8c0f009607e7d217dfb9e5da5284bef5f8e44b5c87054014
SSDEEP:	24576:T0Qxs8dZ3vopZJpw7zJqt7+0fDhFh3EP/gJDWo7WlJhHJx:Tw83qjpGJqd+07hFyYJyeqbX
TLSH:	AD25AF6273F8156AF7FB4B78A87566045EF6FED22A01FA9C4550C10E0C62F8099693F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4............."...0..*............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9EA20D34 [Sun May 3 11:25:40 2054 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0xc44	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x64a06	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x62abc	0x62c00	31985b1c780d8ba6326fd8d9835136a3	False	0.3358460245253165	data	5.511939744385882	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x66000	0xc44	0xe00	aaac628cb4af8db1d34d1acf37270506	False	0.26004464285714285	data	4.3221695352484755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x660b8	0x4d0	data			0.4667207792207792
RT_VERSION	0x66588	0x4d0	data	English	United States	0.4675324675324675
RT_MANIFEST	0x66a58	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-07:11:12.310296	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49701	587	192.168.2.7	93.190.220.113
04/24/24-07:11:12.310296	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49701	587	192.168.2.7	93.190.220.113

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:11:09.656979084 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:09.956460953 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:09.956552029 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:10.473237991 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:10.473917007 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:10.774084091 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:10.776843071 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:11.076464891 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:11.077503920 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:11.406677961 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:11.407077074 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:11.706589937 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:11.707004070 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:12.006951094 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:12.007172108 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:12.306741953 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:12.306786060 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:12.310296059 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:12.310362101 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:12.310379982 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:12.310436964 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:11:12.609721899 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:12.609805107 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:12.609836102 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:12.609859943 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:12.614634037 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:11:12.660527945 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:12:48.896296024 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:12:49.236011028 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:12:49.241041899 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:12:49.397197008 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:12:49.399280071 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:12:49.399416924 CEST	49701	587	192.168.2.7	93.190.220.113
Apr 24, 2024 07:12:49.540796995 CEST	587	49701	93.190.220.113	192.168.2.7
Apr 24, 2024 07:12:49.698781013 CEST	587	49701	93.190.220.113	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 07:11:08.881767988 CEST	63215	53	192.168.2.7	1.1.1.1
Apr 24, 2024 07:11:09.647625923 CEST	53	63215	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 07:11:08.881767988 CEST	192.168.2.7	1.1.1.1	0x8976	Standard query (0)	mail.hatiplertekstil.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 07:11:09.647625923 CEST	1.1.1.1	192.168.2.7	0x8976	No error (0)	mail.hatiplertekstil.com	hatiplertekstil.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 24, 2024 07:11:09.647625923 CEST	1.1.1.1	192.168.2.7	0x8976	No error (0)	hatiplertekstil.com		93.190.220.113	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 24, 2024 07:11:10.473237991 CEST	587	49701	93.190.220.113	192.168.2.7	220 20112.eticaretns.com ESMTP Exim 4.96-58-g4e9ed49f8 Wed, 24 Apr 2024 08:11:10 +0300
Apr 24, 2024 07:11:10.473917007 CEST	49701	587	192.168.2.7	93.190.220.113	EHLO 899552
Apr 24, 2024 07:11:10.774084091 CEST	587	49701	93.190.220.113	192.168.2.7	250-20112.eticaretns.com Hello 899552 [154.16.105.36] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 24, 2024 07:11:10.776843071 CEST	49701	587	192.168.2.7	93.190.220.113	AUTH login aW5mb0BoYXRpcGxlcnRla3N0aWwuY29t
Apr 24, 2024 07:11:11.076464891 CEST	587	49701	93.190.220.113	192.168.2.7	334 UGFzc3dvcmQ6
Apr 24, 2024 07:11:11.406677961 CEST	587	49701	93.190.220.113	192.168.2.7	235 Authentication succeeded
Apr 24, 2024 07:11:11.407077074 CEST	49701	587	192.168.2.7	93.190.220.113	MAIL FROM:<info@hatiplertekstil.com>
Apr 24, 2024 07:11:11.706589937 CEST	587	49701	93.190.220.113	192.168.2.7	250 OK
Apr 24, 2024 07:11:11.707004070 CEST	49701	587	192.168.2.7	93.190.220.113	RCPT TO:<b.hu5h@yandex.com>
Apr 24, 2024 07:11:12.006951094 CEST	587	49701	93.190.220.113	192.168.2.7	250 Accepted
Apr 24, 2024 07:11:12.007172108 CEST	49701	587	192.168.2.7	93.190.220.113	DATA
Apr 24, 2024 07:11:12.306786060 CEST	587	49701	93.190.220.113	192.168.2.7	354 Enter message, ending with "." on a line by itself
Apr 24, 2024 07:11:12.310436964 CEST	49701	587	192.168.2.7	93.190.220.113	.
Apr 24, 2024 07:11:12.614634037 CEST	587	49701	93.190.220.113	192.168.2.7	250 OK id=1rzUuW-0001oc-0V
Apr 24, 2024 07:12:48.896296024 CEST	49701	587	192.168.2.7	93.190.220.113	QUIT
Apr 24, 2024 07:12:49.241041899 CEST	49701	587	192.168.2.7	93.190.220.113	QUIT
Apr 24, 2024 07:12:49.397197008 CEST	587	49701	93.190.220.113	192.168.2.7	221 20112.eticaretns.com closing connection

Target ID:	0
Start time:	07:11:04
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\dekont_20240423_388993774837743.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dekont_20240423_388993774837743.exe"
Imagebase:	0x1ea0e500000
File size:	1'007'725 bytes
MD5 hash:	81A9ABF49104DF646DB709F0365F8EEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1413485294.000001EA107E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1415413809.000001EA20347000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:11:04
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:11:05
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xe90000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3687524877.00000000032CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3687524877.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3673240143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3687524877.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3687524877.0000000003281000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:11:05
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xf80000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:11:06
Start date:	24/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6492 -s 1072
Imagebase:	0x7ff6f5750000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAACCDC4AD Relevance: 3.9, Strings: 2, Instructions: 1372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x64 , xrefs: 00007FFAACCDD159
x64 , xrefs: 00007FFAACCDD269

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID: x64 $x64
API String ID: 0-2402869316
Opcode ID: 9bc74af7c1325bfb25bff179df3942ce869d368b89e7f62e1025d8bbcd89e54a
Instruction ID: 306afcaa2645d50fcbe0ac8d524f93a4b5fc7851391bfda297294828e8782004
Opcode Fuzzy Hash: 9bc74af7c1325bfb25bff179df3942ce869d368b89e7f62e1025d8bbcd89e54a
Instruction Fuzzy Hash: D092283091D7458FE31ADF2884855B5B7E1FF96301B1486BEE48EC7296DE38E84AC781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCCEBF8 Relevance: 2.0, Strings: 1, Instructions: 702
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFAACCD24DF

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 36c722c969bb85c1727833596c4f5dd9f5388b4de47a66f940d2507f62531a56
Instruction ID: b89c7a42b17f70996e5454b4f1fd51022a46c943c2d68cf9cf2274463d89f0bd
Opcode Fuzzy Hash: 36c722c969bb85c1727833596c4f5dd9f5388b4de47a66f940d2507f62531a56
Instruction Fuzzy Hash: 7712547091DA498FE39ADF28D485A7177D0EF46310B1482BAD49EC7197EE28EC5783C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCD1D88 Relevance: 1.7, Strings: 1, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFAACCD1DE0

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 32f36364674e4364fb022dc650c9cccabb21a6002f63babfd0c1c29ff1a690cf
Instruction ID: 9e27befc6b31a602ded0cff0ff7ea505e83a983b83c72b526783377a8811adc9
Opcode Fuzzy Hash: 32f36364674e4364fb022dc650c9cccabb21a6002f63babfd0c1c29ff1a690cf
Instruction Fuzzy Hash: 4EC1187161DA4A4FE75AAB38D4556B577E1EF96210B0481BFE04FC32D2DE18EC068382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCD9911 Relevance: 1.2, Instructions: 1185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472c5e463668e195a0eb8cdb0fabfec8ab8e547f83f2574c334f4d2b3371fe25
Instruction ID: 5994f9cb52b75efb5f7cfcce4c0291055e5b57cdd6fbc07340bda5616e26c50d
Opcode Fuzzy Hash: 472c5e463668e195a0eb8cdb0fabfec8ab8e547f83f2574c334f4d2b3371fe25
Instruction Fuzzy Hash: 0782273051DB468FE31ADF24C4805A5B7E1FF86305B1485BED48EC72A6EE38E49AC781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCC4309 Relevance: .9, Instructions: 863COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3597de57847922f25b95a273fa834853898faab35d9283c166551dfe2e1c134b
Instruction ID: 907cd5f7ade3d08252572fb1c32bf8b4ada62d426c90ce122ecfc0d977142755
Opcode Fuzzy Hash: 3597de57847922f25b95a273fa834853898faab35d9283c166551dfe2e1c134b
Instruction Fuzzy Hash: E142037091DA468FF70ADF28C4856B9B3D1FF86310F1081B9E49F83597DE29E8468781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCC29A1 Relevance: .7, Instructions: 706COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16b24de9ec15805182f4d9e0dc5a44657eed73903f03f9396a11d4c87c22092
Instruction ID: a3d57b031db67c69a536d85b9f06aac6530785a564077ed223fc89da530406c3
Opcode Fuzzy Hash: a16b24de9ec15805182f4d9e0dc5a44657eed73903f03f9396a11d4c87c22092
Instruction Fuzzy Hash: ED32A031A1DA068FF76A9F2890515B973D1FF9A310B15857DD08FC3692DE29F88A87C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCD9530 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436e9699ffff239c2228170d96399d8e12e796f58b97da357ad36391f4b7e70a
Instruction ID: bcbd588d70d80f3f76e85a337300b2699a670cea30638d29d177fbc32b5fa210
Opcode Fuzzy Hash: 436e9699ffff239c2228170d96399d8e12e796f58b97da357ad36391f4b7e70a
Instruction Fuzzy Hash: 60C1373591DB458FE31ACB2998952B5B7E1EF86201B1486BFD4CAC31A1EE2CE44687C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCCFD8C Relevance: 1.6, APIs: 1, Instructions: 142
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FFAACCCFEA1

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9a69911e64ec5b92d255861505ea8891c6cdbea0fe5b5aacec1e60ab4c3bbe41
Instruction ID: e4eddc49062b155a264c963bf0a6cb29f6d5248a7d8405341b58116dec349327
Opcode Fuzzy Hash: 9a69911e64ec5b92d255861505ea8891c6cdbea0fe5b5aacec1e60ab4c3bbe41
Instruction Fuzzy Hash: 37414070508A4D8FEF98DF28C4557A977E1FB58314F10826EE84EC7292DB75D8858B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCD02B4 Relevance: 1.6, APIs: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAACCD0371

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a965d6c43f8677a1d6cf4f5d8118c623a5a91663db7eaffb51ade4b31201a2d2
Instruction ID: 210d4fcd29f70420489f6b2bf21c0a555ade1b60fc2fbc2421f534fe17e8f07f
Opcode Fuzzy Hash: a965d6c43f8677a1d6cf4f5d8118c623a5a91663db7eaffb51ade4b31201a2d2
Instruction Fuzzy Hash: 7631E77090CA488FDB18DFAC984A6F9BBE1EF55321F04426FD049C3292CF74A856C795

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCC08BD Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFAACCC093F

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: f03cba235f84380650f60c1d20d883696768fd72447c52f13e6c1142be837838
Instruction ID: 0f7f04c6a300fdcb7efac4c33aac5840ca8fe88b0cba08f7c1be00f1b39980b2
Opcode Fuzzy Hash: f03cba235f84380650f60c1d20d883696768fd72447c52f13e6c1142be837838
Instruction Fuzzy Hash: AF21B27090CB4C8FEB29DF58D889AE9BBF0EF66310F00416FD08AC3152DA756409CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACDB0121 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFAACDB0236

Memory Dump Source

Source File: 00000000.00000002.1421736103.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacdb0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: a639e9cf508d35da9fde494d32b6101d7470ee93c704faa3db1f308b1772a7b2
Instruction ID: 86383355ed34378a5e925ec5e68d4fce77e885e422b29bf1ae7ae2f5d6b158ae
Opcode Fuzzy Hash: a639e9cf508d35da9fde494d32b6101d7470ee93c704faa3db1f308b1772a7b2
Instruction Fuzzy Hash: 7CA14A7190DB898FF75ADB28C8A55F57BA0FF56300F1881EAD05DCB193DA24E849C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACDB1081 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421736103.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaacdb0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c35b4524292f0581a3452f6f26acc4aa542fa49c86d2376ed85b4ffe5fcbb78
Instruction ID: b39481100794ae48e061219e325b686688827ac4d361ddfd22d82fa2b51f6400
Opcode Fuzzy Hash: 3c35b4524292f0581a3452f6f26acc4aa542fa49c86d2376ed85b4ffe5fcbb78
Instruction Fuzzy Hash: 51F1E6B2A0E7C68FF756D728985A1A57FE0EF56200F0945FED4DDCB193E918A80983C1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFAACCC8549 Relevance: 5.7, Strings: 2, Instructions: 3157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFAACCCAB99
x[4 , xrefs: 00007FFAACCCABF6

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID: $x[4
API String ID: 0-3423188812
Opcode ID: 1c7a87f68af5a8c21c49d8615a55d895f8e846f339c5b8944d0d08d3440e7ef3
Instruction ID: c46ea05b96d3c47f0816c70af0fb60cff4e73210da94e206c9acc25225ed4e40
Opcode Fuzzy Hash: 1c7a87f68af5a8c21c49d8615a55d895f8e846f339c5b8944d0d08d3440e7ef3
Instruction Fuzzy Hash: 6A430D71609A098FEB59DF08C484FA5B7B2FB99304F20C6ADD04ED7295CA35DE86CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAACCCCE19 Relevance: 4.4, Strings: 3, Instructions: 638COMMON

Download Yara Rule

Strings

`\4 , xrefs: 00007FFAACCCD012
x64 , xrefs: 00007FFAACCCD113
`\4 , xrefs: 00007FFAACCCD003

Memory Dump Source

Source File: 00000000.00000002.1421152450.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaaccc0000_dekont_20240423_388993774837743.jbxd

Similarity

API ID:
String ID: `\4 $`\4 $x64
API String ID: 0-642904466
Opcode ID: f8b998b1a712f0b4bbcee5d1c24c82faa5cbb19e2f023954be671022c2521502
Instruction ID: 0e91b3a2bef92e956cc7cf610c293789000a953fb4afa3fb8d49c9aeb91fc24e
Opcode Fuzzy Hash: f8b998b1a712f0b4bbcee5d1c24c82faa5cbb19e2f023954be671022c2521502
Instruction Fuzzy Hash: F7120370A1DA468FE31A9F28845567477E0FF52310F6486BEC08FCB596DA28F85B87C1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exePID: 6048, Parent PID: 6492COMMON

Executed Functions

Function 014EB428 Relevance: 2.8, Instructions: 2770COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6baba018de3ba635ddd880a7fa9ebe4f15f3dfec8e5c2c0746fcc709cf0a9be
Instruction ID: f134d192e62eaba120fc84fe72056e04b69782ce7aacb29d3a68647dba7b9bec
Opcode Fuzzy Hash: e6baba018de3ba635ddd880a7fa9ebe4f15f3dfec8e5c2c0746fcc709cf0a9be
Instruction Fuzzy Hash: 3A53EA31D10B1A8ADB11EF68C8846A9F7B1FF99300F15D79AE45877121EB70AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 014ECEA0 Relevance: 2.3, Instructions: 2310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521df8359bb901792b5bbccf3d388f0717117125f3536b8257f3732dabba0906
Instruction ID: 6ceea1aff88ad33dd4f20d53fe98ccd112fda8776194a3d78307f31e25546695
Opcode Fuzzy Hash: 521df8359bb901792b5bbccf3d388f0717117125f3536b8257f3732dabba0906
Instruction Fuzzy Hash: 5E331F31D107198EDB11DF68C8946AEF7B1FF99300F15C79AE458A7221EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014E4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfee75bc35e0e1f00d21b6bd0947807d4950f898f4b2a962db9f80e445dcdd1
Instruction ID: 5c04280dd90a2da76a69654fa1662c2bf325c7fb649923ffdb16df735f857338
Opcode Fuzzy Hash: 6dfee75bc35e0e1f00d21b6bd0947807d4950f898f4b2a962db9f80e445dcdd1
Instruction Fuzzy Hash: 1DB16370E003098FDF14CFA9D8857AEBBF2AF48315F18852AD415E73A4EB759846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014E3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b51dce7886f4e5a4546b3614752f04bef5e9036ad087e4cdf9e0c59f994404
Instruction ID: b1864bdb66c4862c4b50bc25b2f40c14f4671d7503c6ce9cb174ae01a5eefd10
Opcode Fuzzy Hash: 59b51dce7886f4e5a4546b3614752f04bef5e9036ad087e4cdf9e0c59f994404
Instruction Fuzzy Hash: 4A915F70E002099FDF24CFA9C9997AEBBF2BF58315F18812AE415E7364DB749845CB41

Uniqueness

Uniqueness Score: -1.00%

Function 014E6ED7 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

LRq, xrefs: 014E6F0E
LRq, xrefs: 014E6FD2

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LRq$LRq
API String ID: 0-3710822783
Opcode ID: 00d439aa0c9dd7e10c092f8f3c69ca658b9edd4f267e98c938492b5079df377e
Instruction ID: a2c0a23aa6d2616e79202ba2ceba064e63ed99552ee060b7e2ce635cd0cfb757
Opcode Fuzzy Hash: 00d439aa0c9dd7e10c092f8f3c69ca658b9edd4f267e98c938492b5079df377e
Instruction Fuzzy Hash: 5551BE70A002059FDB15DF69C4247AEBBF2FF86312F11856AE415EB3A1EB719C41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014EF3E5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

PHq, xrefs: 014EF533

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: fef75312a6a413ffb83a7b32025346629c7a02a58323d4c7afa4fe33d1d9b43a
Instruction ID: 98dcd5645d3ecb522e626a0092a8d38c3e7d56497389eef15db8c583e416ca23
Opcode Fuzzy Hash: fef75312a6a413ffb83a7b32025346629c7a02a58323d4c7afa4fe33d1d9b43a
Instruction Fuzzy Hash: BA31E271B002058FDB199F39E4586AE3BE2AF98601B14457ED406DB3A6EE34EC0AC791

Uniqueness

Uniqueness Score: -1.00%

Function 014E6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRq, xrefs: 014E6FD2

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 2f7abbda4fd226a72b87d8f5afbaa2f3bbed975f4e1a8b75d17e607672a5a495
Instruction ID: c7e19c30d7f7a0a3cb9ee2a54a46f909815b764d293daecd2e7b4e6038a2d9d4
Opcode Fuzzy Hash: 2f7abbda4fd226a72b87d8f5afbaa2f3bbed975f4e1a8b75d17e607672a5a495
Instruction Fuzzy Hash: BA318E74E102098BDB15CF69D45479EBBF2FF45322F10852AE812EB360EB71AD45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 014E6BA1 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

LRq, xrefs: 014E6BD7

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: cbc98f22f7971aedd18e7f091cd06b658c612d34a7dccd8c48400250792cc222
Instruction ID: c959d88bd2dd6720e048a3120f17c134be43ea35896f4ce6ebd8cc70f1ef7ee0
Opcode Fuzzy Hash: cbc98f22f7971aedd18e7f091cd06b658c612d34a7dccd8c48400250792cc222
Instruction Fuzzy Hash: EC21F1306083419FC315AB7D94546AEBBF6FF96200B0185AFD005CB2A5DB359C44C792

Uniqueness

Uniqueness Score: -1.00%

Function 014E790A Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89188395679bf51bd872f1a2fe4fb59b2940f447e9d31b94439ee64d3048cfce
Instruction ID: b36aa45bdfca8a2364a53630a6c87bd8906494fa08a13b9e695fdb8295414490
Opcode Fuzzy Hash: 89188395679bf51bd872f1a2fe4fb59b2940f447e9d31b94439ee64d3048cfce
Instruction Fuzzy Hash: 40125130B01206DFDB269B3CE45866D76A2FB85216B10592ED005CF369CF75EC4B9BE1

Uniqueness

Uniqueness Score: -1.00%

Function 014E9364 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2cb25909ea998e69615db7bd5a287f7dfd869bd2c0a3b0e14fb324cfe90273
Instruction ID: 0bcf87f462a07073e5a754119b9095628f13a8556a5c8710535641a9c01c91f4
Opcode Fuzzy Hash: bb2cb25909ea998e69615db7bd5a287f7dfd869bd2c0a3b0e14fb324cfe90273
Instruction Fuzzy Hash: ECD17E34B002148FDB15DF69D588AAEBBF2EF88315F14456AE806DB3A5DB34DC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014E96E0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5191fef7fd3bd2be8e80f4236d36d5ba6bed22b53b91d6e8a987554646afa2c1
Instruction ID: 22b8ef7645754945af08edfe10fa2f718d4807ce8220023ef7c234775b681363
Opcode Fuzzy Hash: 5191fef7fd3bd2be8e80f4236d36d5ba6bed22b53b91d6e8a987554646afa2c1
Instruction Fuzzy Hash: 11C18C70B002058FDB14DF69D8887AEBBE2FF84315F24856AE909DB3A5DB70D845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014E4A8E Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3c3d43d66d6cedea6715d8ca37f2bc86d5e8fb3a7d54c0c7e4aea99235d76f
Instruction ID: f9c0bce4445a9b29e6a1756ccb1848268e8f9aff32cc0cb98eae3466de76e2a8
Opcode Fuzzy Hash: 8a3c3d43d66d6cedea6715d8ca37f2bc86d5e8fb3a7d54c0c7e4aea99235d76f
Instruction Fuzzy Hash: 11B14070E002098FDF20CFA9D989BDEBBF1AF48315F18852AD415E7364EB759856CB81

Uniqueness

Uniqueness Score: -1.00%

Function 014E3E74 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068db4395fd11aa582c532b7e8648ae0071d50bc711a9573aa413627f3d67ac5
Instruction ID: 5eb6c84b017f247739f92e9dbcc82fa80333a41996b12a9fcd2d195867e96405
Opcode Fuzzy Hash: 068db4395fd11aa582c532b7e8648ae0071d50bc711a9573aa413627f3d67ac5
Instruction Fuzzy Hash: 33A15B70E002099FDF20CFA8C9997AEBBF1BF58315F18812AE414E7364DB749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014E6CDD Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbfee2635517eefe02fea5d379ffe09ff2efc9899ad295c954fb79bf37c03cc
Instruction ID: b1f6fbbcef36dd5a969970aa745b8d1117a5501d5bf14de314b220d05ea4392a
Opcode Fuzzy Hash: 6dbfee2635517eefe02fea5d379ffe09ff2efc9899ad295c954fb79bf37c03cc
Instruction Fuzzy Hash: DD512575D102188FDB14CFADC848BDEBBF1BF58311F15811AE819AB3A1D775A841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E6CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d972624ef9b2972b9ae7f7992446f926de6a1f1631ab6888b2084f922e07b91
Instruction ID: be1c7bc67fc89a33a33ed311ac513cddba4e3067e1320cb8a7fb95464c096b41
Opcode Fuzzy Hash: 0d972624ef9b2972b9ae7f7992446f926de6a1f1631ab6888b2084f922e07b91
Instruction Fuzzy Hash: B9512470D002188FDB18CFADC848B9EBBF1BF58311F55811AE819BB3A1D775A841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 014E112A Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c855d6b14a4bc6c26ca7934c84bafc01a53e57967ff12f3a56f78aab0c7fde
Instruction ID: e437aef5dc47749b4ee6f2082aa0b362112bcbcb67f35b577ee3adfd801d6266
Opcode Fuzzy Hash: 13c855d6b14a4bc6c26ca7934c84bafc01a53e57967ff12f3a56f78aab0c7fde
Instruction Fuzzy Hash: 32510E30707256CFC725DB2CF8A8A4D7FB1F76630530895ADD4044B27AD6396D0ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014E1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a34a84bad38c19a290313bffb153c5e94f3105d24c459b207197004016c1435
Instruction ID: 0de564769ba331c0715643a6f6b0ecaac40fa5d6b96a303949818a10cc7ee6ae
Opcode Fuzzy Hash: 2a34a84bad38c19a290313bffb153c5e94f3105d24c459b207197004016c1435
Instruction Fuzzy Hash: 9C51EC30713256CFD725DB2CF9A8A4D7FA1F7A530531895ADD4004B27ADA387D0ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014EF2A8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d943150d927cfe462f58f4b0dab499a4a0b344af55e8e85e5a00712581af0be5
Instruction ID: 0d73251e8ea374f96fa7633a2ecd7dbd7632d35aeec4932fde83879ebe5ceb36
Opcode Fuzzy Hash: d943150d927cfe462f58f4b0dab499a4a0b344af55e8e85e5a00712581af0be5
Instruction Fuzzy Hash: 5C316D75E102199BDB15CF69D45869EB7F2FF89300F10851AE806EB754EB71EC46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014E26DC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbba7418e48fb425d1ea49335ed36d78efcb2d51e397a98cc68653991631c4f1
Instruction ID: 1991ad269644cf39750cac8fc0535182089f60e412eca9dc5b6baff98e9d2b63
Opcode Fuzzy Hash: bbba7418e48fb425d1ea49335ed36d78efcb2d51e397a98cc68653991631c4f1
Instruction Fuzzy Hash: 7A41E2B0D003499FEB14DFA9C884ADEBBF5FF48314F14812AE819AB250DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E5097 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6fa7ca9bb1714361e31343852db15eda600c3737f98ce5249840c301218b4d
Instruction ID: 70a167c6b8d259389ffd60235841f0d57c84d037fd938cdbff2bd2cec00d56de
Opcode Fuzzy Hash: ee6fa7ca9bb1714361e31343852db15eda600c3737f98ce5249840c301218b4d
Instruction Fuzzy Hash: CF318F34B01215CFDB29DB38D5686AEBBF2AF4920AF1005ADD901EB361DB36DC01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014EF2B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0747e6fefc0d64f76a2bac0dbcdd82e025dc7995f6497b0a7d26579a65a8fb92
Instruction ID: 3d173a5546dbaa91bdfe56ad3b287ba40aa26746551337ed2b8d2335933a44f1
Opcode Fuzzy Hash: 0747e6fefc0d64f76a2bac0dbcdd82e025dc7995f6497b0a7d26579a65a8fb92
Instruction Fuzzy Hash: 09315D35A106198BDB19CF69D45869EBBF2EF89300F10851AE816E7354DF71EC46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014E26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41414799d403a3c3d2f66333f6eaf3400bb74118bb9504239227ae18a9059b1
Instruction ID: 2647dbab1a2a137176e50bef73103a484cd1a94bf66519e528a80e08079c113c
Opcode Fuzzy Hash: e41414799d403a3c3d2f66333f6eaf3400bb74118bb9504239227ae18a9059b1
Instruction Fuzzy Hash: CF41D1B4D003499FEB14DFA9C484A9EBBF5FF48310F14812AE819AB250DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E50A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3f13d8f6727bb9fc1001fae4587cc8405b78321d8415ee70d46bb1be118452
Instruction ID: 5ec2b7397ed4838e40f3d691c0da7b47cdf45f0b3d69345e12a6b177b3409e88
Opcode Fuzzy Hash: 3e3f13d8f6727bb9fc1001fae4587cc8405b78321d8415ee70d46bb1be118452
Instruction Fuzzy Hash: 73313034B01215CFDB29DB78D5586AEB7F6AF49206F1005ADD901EB364DB35DC01C791

Uniqueness

Uniqueness Score: -1.00%

Function 014E9251 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 115eda19339d9b2eb1709d58e6e314345eb3df2ef87371761889b2ab7169b31b
Instruction ID: bba1751fb1d256db9745ed246c76f59617ef13f7b395c2a4b42b2ca6792ca681
Opcode Fuzzy Hash: 115eda19339d9b2eb1709d58e6e314345eb3df2ef87371761889b2ab7169b31b
Instruction Fuzzy Hash: ED318231E002169BDB09CFA9D49469EBBB2FF89304F14C61AE805EB391DB71D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E9260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63dda24838f62002400469779d890e6417ac0a8c4f20edf64593ffff9addc1bb
Instruction ID: 8b19839cdf93b890988a69d7c36f29c47534b116c216dd4915723d35673f8bc5
Opcode Fuzzy Hash: 63dda24838f62002400469779d890e6417ac0a8c4f20edf64593ffff9addc1bb
Instruction Fuzzy Hash: A7214131E002199BDB15CFA9D49869EBBB2FF89304F14C61AE805EB395DB719C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014E9150 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92073c9981c4e116aa92c4ad12e114440a155a67e63dfda44be9aadd75176c73
Instruction ID: 3b5c7e39f320942600bc1bc64a8449ef63353951986bc47bbfaaa38c1047c7b3
Opcode Fuzzy Hash: 92073c9981c4e116aa92c4ad12e114440a155a67e63dfda44be9aadd75176c73
Instruction Fuzzy Hash: 24216031E006199BDB19CFA9D4586DEF7F2AF89304F10861AE816A7391EB719D41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014E1878 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e013307043de38e46b51cef03604945e13f8cd5518222cd85066b23d411002ad
Instruction ID: 905f33e1cb73616c608f9d8959733017cd5d6db8e9894c1a5017e1bb3f087537
Opcode Fuzzy Hash: e013307043de38e46b51cef03604945e13f8cd5518222cd85066b23d411002ad
Instruction Fuzzy Hash: 2F31B130B40345CFDB24DB28C91879E7BF6AF49616F1045AEC505EB360DB369D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 014E169F Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2f4c325ed670c6450baae2d0cd882eeb8be0a3b8bd3ff34cfa0ac284a41e3e0
Instruction ID: b95b9fe0af4838b017f292517fedd8364371e05da2f6263f0c72eaae101902d8
Opcode Fuzzy Hash: e2f4c325ed670c6450baae2d0cd882eeb8be0a3b8bd3ff34cfa0ac284a41e3e0
Instruction Fuzzy Hash: EB21A1347412004FEB21DB3CF88CB5E3BA5EB49B56F10496AD406CB36ADA3DDC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 014E4F8A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfbb57cf1bcbfff2a8e805651d79145a823dec5f0d8d4ad15a7cf58378ba07a
Instruction ID: e34f023d3b5bfc7da65e9844275dc2cd7d1ca155d32fb44d475f5ce49ff6e5e6
Opcode Fuzzy Hash: ddfbb57cf1bcbfff2a8e805651d79145a823dec5f0d8d4ad15a7cf58378ba07a
Instruction Fuzzy Hash: 77212574B00204CFDB64DB38D568AAE7BF5EF89609B1044ADE406EB364DB359D01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0148D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3681254030.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_148d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae56cfd5c2dd58e723d44ff671f14fe72547898eec2bad62c123753e2b837287
Instruction ID: 4cc8fff4b0ba1483b0dfab5296efbe66869fae14557b36b74b7a91bce77aec78
Opcode Fuzzy Hash: ae56cfd5c2dd58e723d44ff671f14fe72547898eec2bad62c123753e2b837287
Instruction Fuzzy Hash: 522125B1A05300DFDB15EF54D9C4B1ABB61EB85318F20C56ED84A4B3A6C336D447CA62

Uniqueness

Uniqueness Score: -1.00%

Function 014E9160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a388f6f36fab32832c13ffdcc080c518ceb076d628dbe3d6f46bd98b2761cf
Instruction ID: 05c7a143f511b769836f4d18bc95138ea7dcf68f2fce0e7362d3ca6b8f7b3a76
Opcode Fuzzy Hash: 38a388f6f36fab32832c13ffdcc080c518ceb076d628dbe3d6f46bd98b2761cf
Instruction Fuzzy Hash: 47213030E006199BDB19CFA9D4586DEF7B2AF89304F10861AE816AB390EB70DD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014E1382 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1c7827495898ede24933cce10d569a47c097d1d1d87e2845f502c9fdbf6573
Instruction ID: 4b24369b7b3721bc0426786b6155e07b5c138bcf0cfea702eb2afbe971b328a3
Opcode Fuzzy Hash: ab1c7827495898ede24933cce10d569a47c097d1d1d87e2845f502c9fdbf6573
Instruction Fuzzy Hash: 562193706402418BEB32572CE44C36E37A1FB4AB16F15087FE416CB7B5D6798C898782

Uniqueness

Uniqueness Score: -1.00%

Function 014E1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6017fd7a392d796631bead5f8f4cda0a3effbead8328972eab5ddd4ec90e840
Instruction ID: 761617b5b480685cc2eaa3a1ec4e603b68b4b818ac579ac57ee4858d580476cc
Opcode Fuzzy Hash: a6017fd7a392d796631bead5f8f4cda0a3effbead8328972eab5ddd4ec90e840
Instruction Fuzzy Hash: 6F213D30B40205CFDB24EB78D5587AE7BF6AF49606F10046ED506EB360DB359D41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014E16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417feacaa89e5f3266f455f4d5d9414f4bde37e020ab84a31371be1dd6e126da
Instruction ID: 125a0f27c735805c1e43eb85857229180a286e175e3cef8c10aabf6264d79216
Opcode Fuzzy Hash: 417feacaa89e5f3266f455f4d5d9414f4bde37e020ab84a31371be1dd6e126da
Instruction Fuzzy Hash: AA2181347412104FEB21D72CF88CB5E37A5EB49B56F10492AD806CB36ADB3DEC458B92

Uniqueness

Uniqueness Score: -1.00%

Function 014E4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca13cbeecd1bddcd52c89ced023a9e4be078df32df53797c16fd571cfc111fe
Instruction ID: 40c4ad39b8f3ce86e675f4be3c4f5efe40f438bb556b1c126d6146f764fa2f8e
Opcode Fuzzy Hash: 2ca13cbeecd1bddcd52c89ced023a9e4be078df32df53797c16fd571cfc111fe
Instruction Fuzzy Hash: E4213674B00204CFDB64DB78D56CAAE7BF5EF89605B1044A9E406EB3A4DB359D00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014E0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab0792cd1569ba254114fefbac541bb021564dfe143c8f77f12fb8b852ca567
Instruction ID: 0fb7026c6c79e1207595d44f711656a78e2123ee801943c83bf8cdd828517e5d
Opcode Fuzzy Hash: 6ab0792cd1569ba254114fefbac541bb021564dfe143c8f77f12fb8b852ca567
Instruction Fuzzy Hash: F711C130B002088BEF259A7DD45C36A32D5FB45216F10493BE426CF362DAB6CC468BC1

Uniqueness

Uniqueness Score: -1.00%

Function 014E0838 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17bea407abe0944e043841bf66894308fb32db4d82ec5fabdcde9935e6baa175
Instruction ID: e1fe292c086f80e8adc57cd6ba6bcf96de78165de15e298be1c664cfa36b7da5
Opcode Fuzzy Hash: 17bea407abe0944e043841bf66894308fb32db4d82ec5fabdcde9935e6baa175
Instruction Fuzzy Hash: 40118230B003059BEF265A7CD45836E36D5FB45256F10493BE426CF366D6B9CC468BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0148D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3681254030.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_148d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6ee66a8128192b346c5c83d451748b5d78b36afe51011f523d16e36ace96d9
Instruction ID: a6c3bab9263cf6e89a79bc7ae917d8e1a5690ccb7d3c89c9c19526820d3d3eae
Opcode Fuzzy Hash: ba6ee66a8128192b346c5c83d451748b5d78b36afe51011f523d16e36ace96d9
Instruction Fuzzy Hash: B32180755093808FDB06DF64D590716BF71EB46214F28C5DBD8498B2A7C33A980BCB62

Uniqueness

Uniqueness Score: -1.00%

Function 014E17C0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d741b6a6179d6c6eb516ad4307ed08fe6a552a412d689d5ad51040cafaa3e6
Instruction ID: 87cd95662cb7c1bde1400d2d74510aa12e2e629ec11e9743efea7aef061719e8
Opcode Fuzzy Hash: 74d741b6a6179d6c6eb516ad4307ed08fe6a552a412d689d5ad51040cafaa3e6
Instruction Fuzzy Hash: 4011CE71B403109FCB649B7CA80866FBBE5FB89A50F11487AE956D7318EA348C41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 014E1488 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce862de60473470c33e2d839bf23d1fcd2a1d99ba26c508dd6af6388194e1649
Instruction ID: 552f993cf7b1567a641ffd889bd00de0b5d1dd90fbdf5cf4394e039d4c27ff24
Opcode Fuzzy Hash: ce862de60473470c33e2d839bf23d1fcd2a1d99ba26c508dd6af6388194e1649
Instruction Fuzzy Hash: 20119E31F002168FCF25EFB888985AE7BF1AF58666F14057BE815EB351E735C8428B91

Uniqueness

Uniqueness Score: -1.00%

Function 014E1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2049252dfc30e728ead3c1a85568349e83496c4c0c9916ad3a469c56d9dab94
Instruction ID: 63d70517db9d8e3068319e139c661cf0df7f9640117885ec5ae660bd59b633e4
Opcode Fuzzy Hash: d2049252dfc30e728ead3c1a85568349e83496c4c0c9916ad3a469c56d9dab94
Instruction Fuzzy Hash: 58018C31F002268FCF21EFB988585AEBBF5EB58612F24057BD805E7311E675C8428B91

Uniqueness

Uniqueness Score: -1.00%

Function 014E40FF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551acac8d6d1a06c78a0c256203777ce24f5c9ff6cdc03f32a77c6369236de20
Instruction ID: cd99d211b4b8f50896b5285787271d0afe7a73158b7ef903a90d74740cbb3efc
Opcode Fuzzy Hash: 551acac8d6d1a06c78a0c256203777ce24f5c9ff6cdc03f32a77c6369236de20
Instruction Fuzzy Hash: 8B11A230E0024DDADF34DA98D99C7EEFBB2AF7521AF18152BD011E22A19A7488C5CB15

Uniqueness

Uniqueness Score: -1.00%

Function 014E80F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742a4cedffe9520e600517cd37b56422c5266b6e5bd678671c608a4264d23cca
Instruction ID: 171a594b82f87db4fa502a77076bec5f7f67621ee86ab1e70982aa4a27216891
Opcode Fuzzy Hash: 742a4cedffe9520e600517cd37b56422c5266b6e5bd678671c608a4264d23cca
Instruction Fuzzy Hash: 59018F30A02349DFCB41EFB8FD9469DBBB1EF45340B1082AEC4049B558EA396E09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014E1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f80f39639a8cf7a24a4bf24a60fdb1c5d2837d82d63e52af79234e2bde8be15
Instruction ID: d0f951427a93436b461fc9f33abb38bb3790a72c40392e8b85b59110c3d60120
Opcode Fuzzy Hash: 8f80f39639a8cf7a24a4bf24a60fdb1c5d2837d82d63e52af79234e2bde8be15
Instruction Fuzzy Hash: EAF0F032A44220CFDB228BE984981ADBFF5FAA851375C00ABD846DB321D271D8068B51

Uniqueness

Uniqueness Score: -1.00%

Function 014E7090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fdaa6f47352b540097b5722f7cd96dae085eed2d78180623e6b4f46158ce42
Instruction ID: ac760e3b1a11131dfa08a273557f3d803ee2aeb065528d84ccaae2e8ba42e0a8
Opcode Fuzzy Hash: a2fdaa6f47352b540097b5722f7cd96dae085eed2d78180623e6b4f46158ce42
Instruction Fuzzy Hash: DAF0B635B001048FC714DB78D568B6D7BB2EF88716F1140A9E5069B3A4CB35AD46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014E8100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3685854852.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_14e0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eeae359d2a9dd96072e8e943747ddf684694bf731e0fb39d429b6ecf821f41
Instruction ID: af8b2ecbb855002aceef80ace93e5e8c28bcdf8ffc760c4e16eb96203f7861e8
Opcode Fuzzy Hash: 53eeae359d2a9dd96072e8e943747ddf684694bf731e0fb39d429b6ecf821f41
Instruction Fuzzy Hash: ACF04F30A01218DFDB04EFA9F99469DBBB5EB44740F5082ADC4049B258EE35BE09CB92

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dekont_20240423_388993774837743.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dekont_20240423__f29aed481361345eef85fedfd8f72632aa8e00_c74f1f47_6ea974dd-8f19-446a-b783-c735a24ea101\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9B9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB31.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA0.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Possible Origin

Windows Analysis Report
dekont_20240423_388993774837743.exe

Function 00007FFAACCDC4AD Relevance: 3.9, Strings: 2, Instructions: 1372
COMMON

Function 00007FFAACCCEBF8 Relevance: 2.0, Strings: 1, Instructions: 702
COMMON

Function 00007FFAACCD1D88 Relevance: 1.7, Strings: 1, Instructions: 441
COMMON

Function 00007FFAACCCFD8C Relevance: 1.6, APIs: 1, Instructions: 142
libraryCOMMON

Function 00007FFAACCD02B4 Relevance: 1.6, APIs: 1, Instructions: 129
memoryCOMMON

Function 00007FFAACCC08BD Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Function 00007FFAACDB0121 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre