Play interactive tour

Edit tour

Analysis Report 30714756.exe

Overview

General Information

Sample Name:	30714756.exe
Analysis ID:	339359
MD5:	c1279eb7ba4c37f73765233d8ce917d5
SHA1:	2e9978ed7bd20a8b8890f9d236317f0e6dfab11f
SHA256:	1d12e0ea21ddb6f39d309e836c5f8e2c3fcfd4c167b20185ca3723233230bb8b
Tags:	AgentTeslaDHLexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

30714756.exe (PID: 6236 cmdline: 'C:\Users\user\Desktop\30714756.exe' MD5: C1279EB7BA4C37F73765233D8CE917D5)

RegSvcs.exe (PID: 6284 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "0jeYosvM", "URL: ": "https://8yynu7fM6H7Nyg.com", "To: ": "chynaman@vivaldi.net", "ByHost: ": "smtp.vivaldi.net:587", "Password: ": "ggtXbQWVn6M", "From: ": "chynaman@vivaldi.net"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.607538381.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.611152121.00000000033E2000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.611152121.00000000033E2000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 30714756.exe PID: 6236	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 30714756.exe PID: 6236	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6284	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6284	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: RegSvcs.exe.6284.1.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "0jeYosvM", "URL: ": "https://8yynu7fM6H7Nyg.com", "To: ": "chynaman@vivaldi.net", "ByHost: ": "smtp.vivaldi.net:587", "Password: ": "ggtXbQWVn6M", "From: ": "chynaman@vivaldi.net"}

Machine Learning detection for sample

Show sources

Source: 30714756.exe

Joe Sandbox ML: detected

Source: 1.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 30714756.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 30714756.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://8yynu7fM6H7Nyg.com

Source: global traffic

TCP traffic: 192.168.2.7:49755 -> 31.209.137.12:587

Source: Joe Sandbox View

IP Address: 31.209.137.12 31.209.137.12

Source: global traffic

TCP traffic: 192.168.2.7:49755 -> 31.209.137.12:587

Source: unknown

DNS traffic detected: queries for: smtp.vivaldi.net

Source: RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegSvcs.exe, 00000001.00000002.611889871.0000000003474000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.vivaldi.net
Source: RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	String found in binary or memory: http://uUOmOR.com
Source: RegSvcs.exe, 00000001.00000002.612008583.0000000003496000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.611789810.000000000346A000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.611556475.0000000003434000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000003.461890138.00000000013B4000.00000004.00000001.sdmp	String found in binary or memory: https://8yynu7fM6H7Nyg.com
Source: RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: 30714756.exe, 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.607538381.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: 30714756.exe, 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.607538381.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 1.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6D9D76F8u002dFE37u002d4EB1u002dADB2u002d87366BC63423u007d/A07EFD12u002d7E85u002d446Cu002d8101u002d4B6AA8A70687.cs

Large array initialization: .cctor: array initializer size 11989

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_015D2764	1_2_015D2764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_015DD7E0	1_2_015DD7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_015D1FE0	1_2_015D1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0162B860	1_2_0162B860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01621C70	1_2_01621C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01620040	1_2_01620040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01625A98	1_2_01625A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01620022	1_2_01620022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0162CA28	1_2_0162CA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01690040	1_2_01690040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01691DA0	1_2_01691DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0169D0CC	1_2_0169D0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01693FF0	1_2_01693FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01733908	1_2_01733908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_033746A0	1_2_033746A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_03374673	1_2_03374673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_03374690	1_2_03374690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0162EC88	1_2_0162EC88

Source: 30714756.exe	Binary or memory string: OriginalFilename vs 30714756.exe
Source: 30714756.exe, 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs 30714756.exe
Source: 30714756.exe, 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameuqZsQTrrIzvzbrRuHZMJrxImRISqPQbtj.exe4 vs 30714756.exe
Source: 30714756.exe, 00000000.00000002.252186553.0000000003280000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs 30714756.exe
Source: 30714756.exe, 00000000.00000002.252207718.0000000003290000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 30714756.exe
Source: 30714756.exe	Binary or memory string: OriginalFilenameJ vs 30714756.exe

Source: 30714756.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 30714756.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 30714756.exe, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 30714756.exe, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 30714756.exe, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.30714756.exe.e00000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 0.2.30714756.exe.e00000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.30714756.exe.e00000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.0.30714756.exe.e00000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 0.0.30714756.exe.e00000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.0.30714756.exe.e00000.0.unpack, ParentalControl/ParentalControl.cs	Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\30714756.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\30714756.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\30714756.exe

Mutant created: \Sessions\1\BaseNamedObjects\NgDpaSJqUP

Source: 30714756.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\30714756.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\30714756.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\30714756.exe 'C:\Users\user\Desktop\30714756.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\30714756.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\30714756.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 30714756.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 30714756.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 30714756.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 30714756.exe, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.30714756.exe.e00000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.30714756.exe.e00000.0.unpack, ParentalControl/ParentalControl.cs	.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0x993216A3 [Mon Jun 12 15:30:43 2051 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_015D7A37 push edi; retn 0000h	1_2_015D7A39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0162A1C2 push 8BFFFFFFh; retf	1_2_0162A1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_01733091 push 24418B01h; ret	1_2_017330A3

Source: initial sample

Static PE information: section name: .text entropy: 7.89132890459

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: 30714756.exe PID: 6236, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 30714756.exe, 00000000.00000002.252271119.00000000032D1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 30714756.exe, 00000000.00000002.252271119.00000000032D1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\30714756.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 839			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9015			Jump to behavior

Source: C:\Users\user\Desktop\30714756.exe TID: 6240	Thread sleep time: -31500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe TID: 6292	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
Source: 30714756.exe, 00000000.00000002.252373031.000000000334D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000001.00000002.614948226.0000000006610000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 30714756.exe, 00000000.00000002.252271119.00000000032D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 30714756.exe, 00000000.00000002.252271119.00000000032D1000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 30714756.exe, 00000000.00000002.252271119.00000000032D1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 30714756.exe, 00000000.00000002.252373031.000000000334D000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000001.00000002.614948226.0000000006610000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000001.00000002.614948226.0000000006610000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 30714756.exe, 00000000.00000002.252271119.00000000032D1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 30714756.exe, 00000000.00000002.252373031.000000000334D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: 30714756.exe, 00000000.00000002.252373031.000000000334D000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 30714756.exe, 00000000.00000002.252373031.000000000334D000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 30714756.exe, 00000000.00000002.252271119.00000000032D1000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 00000001.00000002.614948226.0000000006610000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\30714756.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_015DE7D0 LdrInitializeThunk,

1_2_015DE7D0

Source: C:\Users\user\Desktop\30714756.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\30714756.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\30714756.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.610502459.0000000001D50000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: RegSvcs.exe, 00000001.00000002.610502459.0000000001D50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000001.00000002.610502459.0000000001D50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000001.00000002.610502459.0000000001D50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\30714756.exe	Queries volume information: C:\Users\user\Desktop\30714756.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\30714756.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\30714756.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.607538381.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.611152121.00000000033E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 30714756.exe PID: 6236, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6284, type: MEMORY
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.611152121.00000000033E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6284, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.607538381.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.611152121.00000000033E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 30714756.exe PID: 6236, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6284, type: MEMORY
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion13	Credentials in Registry1	Security Software Discovery211	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion13	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
30714756.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://uUOmOR.com	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://8yynu7fM6H7Nyg.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.vivaldi.net	31.209.137.12	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://8yynu7fM6H7Nyg.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.letsencrypt.org0	RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://uUOmOR.com	RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot%telegramapi%/	30714756.exe, 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.607538381.0000000000402000.00000040.00000001.sdmp	false		high
http://r3.o.lencr.org0	RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://smtp.vivaldi.net	RegSvcs.exe, 00000001.00000002.611889871.0000000003474000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	30714756.exe, 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.607538381.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.root-x1.letsencrypt.org0	RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.orgGETMozilla/5.0	RegSvcs.exe, 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0	RegSvcs.exe, 00000001.00000002.614838260.0000000006510000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.209.137.12	unknown	Iceland		51896	HRINGDU-ASIS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339359
Start date:	13.01.2021
Start time:	21:37:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	30714756.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 52.6% (good quality ratio 47.4%) Quality average: 81% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 74 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 13.88.21.125, 23.210.248.85, 51.104.144.132, 92.122.213.247, 92.122.213.194, 93.184.221.240, 51.103.5.186, 51.11.168.160, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:38:07	API Interceptor	1x Sleep call for process: 30714756.exe modified
21:38:29	API Interceptor	1046x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
31.209.137.12	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	jK49h2Aa3n.exe	Get hash	malicious	Browse
	RFQ.01-12-2021.eml.exe	Get hash	malicious	Browse
	Scan003.pdf.exe	Get hash	malicious	Browse
	21122020_001.exe	Get hash	malicious	Browse
	Invoice 277.exe	Get hash	malicious	Browse
	Shipment Details.Pdf.exe	Get hash	malicious	Browse
	CIYH2001.pdf.exe	Get hash	malicious	Browse
	Order Inquiry.Jpeg.exe	Get hash	malicious	Browse
	image001.exe	Get hash	malicious	Browse
	Quote-20201203-0076.exe	Get hash	malicious	Browse
	Project quotation list.exe	Get hash	malicious	Browse
	L4z6CoqR4E.exe	Get hash	malicious	Browse
	Scan 0027511202054.xlsx	Get hash	malicious	Browse
	Scan002519332020.exe	Get hash	malicious	Browse
	PI-08351.xlsx	Get hash	malicious	Browse
	Benz.exe	Get hash	malicious	Browse
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.vivaldi.net	file.exe	Get hash	malicious	Browse	31.209.137.12
	file.exe	Get hash	malicious	Browse	31.209.137.12
	file.exe	Get hash	malicious	Browse	31.209.137.12
	jK49h2Aa3n.exe	Get hash	malicious	Browse	31.209.137.12
	RFQ.01-12-2021.eml.exe	Get hash	malicious	Browse	31.209.137.12
	Scan003.pdf.exe	Get hash	malicious	Browse	31.209.137.12
	21122020_001.exe	Get hash	malicious	Browse	31.209.137.12
	Invoice 277.exe	Get hash	malicious	Browse	31.209.137.12
	Shipment Details.Pdf.exe	Get hash	malicious	Browse	31.209.137.12
	CIYH2001.pdf.exe	Get hash	malicious	Browse	31.209.137.12
	Order Inquiry.Jpeg.exe	Get hash	malicious	Browse	31.209.137.12
	image001.exe	Get hash	malicious	Browse	31.209.137.12
	Quote-20201203-0076.exe	Get hash	malicious	Browse	31.209.137.12
	Project quotation list.exe	Get hash	malicious	Browse	31.209.137.12
	L4z6CoqR4E.exe	Get hash	malicious	Browse	31.209.137.12
	Scan 0027511202054.xlsx	Get hash	malicious	Browse	31.209.137.12
	Scan002519332020.exe	Get hash	malicious	Browse	31.209.137.12
	PI-08351.xlsx	Get hash	malicious	Browse	31.209.137.12
	Benz.exe	Get hash	malicious	Browse	31.209.137.12
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	31.209.137.12

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HRINGDU-ASIS	file.exe	Get hash	malicious	Browse	31.209.137.12
	file.exe	Get hash	malicious	Browse	31.209.137.12
	file.exe	Get hash	malicious	Browse	31.209.137.12
	jK49h2Aa3n.exe	Get hash	malicious	Browse	31.209.137.12
	RFQ.01-12-2021.eml.exe	Get hash	malicious	Browse	31.209.137.12
	Scan003.pdf.exe	Get hash	malicious	Browse	31.209.137.12
	21122020_001.exe	Get hash	malicious	Browse	31.209.137.12
	Invoice 277.exe	Get hash	malicious	Browse	31.209.137.12
	Shipment Details.Pdf.exe	Get hash	malicious	Browse	31.209.137.12
	CIYH2001.pdf.exe	Get hash	malicious	Browse	31.209.137.12
	Order Inquiry.Jpeg.exe	Get hash	malicious	Browse	31.209.137.12
	image001.exe	Get hash	malicious	Browse	31.209.137.12
	Quote-20201203-0076.exe	Get hash	malicious	Browse	31.209.137.12
	Project quotation list.exe	Get hash	malicious	Browse	31.209.137.12
	L4z6CoqR4E.exe	Get hash	malicious	Browse	31.209.137.12
	Scan 0027511202054.xlsx	Get hash	malicious	Browse	31.209.137.12
	Scan002519332020.exe	Get hash	malicious	Browse	31.209.137.12
	PI-08351.xlsx	Get hash	malicious	Browse	31.209.137.12
	Benz.exe	Get hash	malicious	Browse	31.209.137.12
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	31.209.137.12

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\30714756.exe.log Download File
Process:	C:\Users\user\Desktop\30714756.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.883211191634663
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	30714756.exe
File size:	632320
MD5:	c1279eb7ba4c37f73765233d8ce917d5
SHA1:	2e9978ed7bd20a8b8890f9d236317f0e6dfab11f
SHA256:	1d12e0ea21ddb6f39d309e836c5f8e2c3fcfd4c167b20185ca3723233230bb8b
SHA512:	5be8c1dac94b8c7f8cd183f57c82b66149fbe3a06d75745f9ccc5de77233ff45c363fbd7520f726c688e477e08f418271fb3e9e3039ff6b9ced1ec7b863646d6
SSDEEP:	12288:7Sc4VtLb4jQwy41U9U6EGfH8M+OgksTU6M:p4Vtfh741Otv/87OgRQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49bbae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x993216A3 [Mon Jun 12 15:30:43 2051 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9bb5c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9bb40	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x99bb4	0x99c00	False	0.918345083841	data	7.89132890459	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x5d4	0x600	False	0.428385416667	data	4.16098073201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9e000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x9c090	0x344	data
RT_MANIFEST	0x9c3e4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	J.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	MultiUserParentalControl
ProductVersion	1.0.0.0
FileDescription	MultiUserParentalControl
OriginalFilename	J.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:39:56.392246962 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:56.479549885 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:56.479713917 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:58.178632975 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:58.179253101 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:58.267703056 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:58.267843008 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:58.268186092 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:58.356933117 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:58.407337904 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:58.441806078 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:58.530812979 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:58.530875921 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:58.530915976 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:58.530961037 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:58.537862062 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:58.625858068 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:58.673000097 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:58.920234919 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.007810116 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.010222912 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.100066900 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.101645947 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.234683037 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.276102066 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.277108908 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.365376949 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.367394924 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.368217945 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.480760098 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.481744051 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.568573952 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.571435928 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.571681023 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.572237015 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.572377920 CET	49755	587	192.168.2.7	31.209.137.12
Jan 13, 2021 21:39:59.658035040 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.658466101 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.679251909 CET	587	49755	31.209.137.12	192.168.2.7
Jan 13, 2021 21:39:59.720035076 CET	49755	587	192.168.2.7	31.209.137.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 21:38:00.555159092 CET	60338	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:00.605990887 CET	53	60338	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:01.791929007 CET	58717	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:01.844286919 CET	53	58717	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:03.088964939 CET	59762	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:03.136756897 CET	53	59762	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:04.510008097 CET	54329	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:04.557846069 CET	53	54329	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:05.684593916 CET	58052	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:05.732321024 CET	53	58052	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:10.689325094 CET	54008	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:10.737088919 CET	53	54008	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:12.172833920 CET	59451	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:12.220726967 CET	53	59451	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:14.479237080 CET	52914	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:14.527095079 CET	53	52914	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:15.610940933 CET	64569	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:15.669912100 CET	53	64569	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:17.177721977 CET	52816	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:17.234221935 CET	53	52816	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:18.059393883 CET	50781	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:18.126220942 CET	53	50781	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:18.432286978 CET	54230	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:18.480097055 CET	53	54230	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:19.626983881 CET	54911	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:19.677594900 CET	53	54911	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:21.472456932 CET	49958	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:21.521050930 CET	53	49958	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:23.659981012 CET	50860	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:23.711505890 CET	53	50860	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:24.955491066 CET	50452	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:25.006571054 CET	53	50452	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:26.251869917 CET	59730	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:26.310882092 CET	53	59730	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:30.503633976 CET	59310	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:30.551515102 CET	53	59310	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:32.849813938 CET	51919	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:32.910423040 CET	53	51919	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:45.720328093 CET	64296	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:45.770955086 CET	53	64296	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:46.862066984 CET	56680	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:46.912695885 CET	53	56680	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:49.389734030 CET	58820	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:49.454180956 CET	53	58820	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:51.032990932 CET	60983	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:51.089668989 CET	53	60983	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:52.938034058 CET	49247	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:52.986272097 CET	53	49247	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:55.693662882 CET	52286	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:55.752662897 CET	53	52286	8.8.8.8	192.168.2.7
Jan 13, 2021 21:38:59.892232895 CET	56064	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:38:59.955224991 CET	53	56064	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:15.225465059 CET	63744	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:15.481959105 CET	53	63744	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:16.051736116 CET	61457	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:16.113255978 CET	53	61457	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:16.611205101 CET	58367	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:16.681971073 CET	53	58367	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:16.704710960 CET	60599	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:16.752805948 CET	53	60599	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:17.279335022 CET	59571	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:17.329487085 CET	53	59571	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:17.916559935 CET	52689	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:17.972969055 CET	53	52689	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:18.552710056 CET	50290	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:18.609285116 CET	53	50290	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:19.199055910 CET	60427	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:19.270555973 CET	53	60427	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:20.267975092 CET	56209	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:20.327270031 CET	53	56209	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:21.147104979 CET	59582	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:21.195040941 CET	53	59582	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:21.739501953 CET	60949	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:21.796025038 CET	53	60949	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:55.006208897 CET	58542	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:55.057044983 CET	53	58542	8.8.8.8	192.168.2.7
Jan 13, 2021 21:39:56.184195042 CET	59179	53	192.168.2.7	8.8.8.8
Jan 13, 2021 21:39:56.257781029 CET	53	59179	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 21:39:56.184195042 CET	192.168.2.7	8.8.8.8	0xad80	Standard query (0)	smtp.vivaldi.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 13, 2021 21:39:56.257781029 CET	8.8.8.8	192.168.2.7	0xad80	No error (0)	smtp.vivaldi.net		31.209.137.12	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 13, 2021 21:39:58.178632975 CET	587	49755	31.209.137.12	192.168.2.7	220 smtp.vivaldi.net ESMTP Postfix (Ubuntu)
Jan 13, 2021 21:39:58.179253101 CET	49755	587	192.168.2.7	31.209.137.12	EHLO 301389
Jan 13, 2021 21:39:58.267843008 CET	587	49755	31.209.137.12	192.168.2.7	250-smtp.vivaldi.net 250-PIPELINING 250-SIZE 36700160 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8
Jan 13, 2021 21:39:58.268186092 CET	49755	587	192.168.2.7	31.209.137.12	STARTTLS
Jan 13, 2021 21:39:58.356933117 CET	587	49755	31.209.137.12	192.168.2.7	220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 30714756.exe PID: 6236 Parent PID: 5628

General

Start time:	21:38:06
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\30714756.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\30714756.exe'
Imagebase:	0xe00000
File size:	632320 bytes
MD5 hash:	C1279EB7BA4C37F73765233D8CE917D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.253256411.00000000042D9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6284 Parent PID: 6236

General

Start time:	21:38:10
Start date:	13/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xf60000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.610914759.00000000033A1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.607538381.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.611152121.00000000033E2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.611152121.00000000033E2000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 30714756.exe PID: 6236 Parent PID: 5628 30714756.exeCOMMON

Executed Functions

Function 0136D4EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251552137.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e43ba726386440e61d61c2da8ce96fd8ead019cea4ee2bd850b0dc43223f9c
Instruction ID: b97594d7140b8e2a8ff1a18906c6c63d2bdc3f36aba70c813f176d119af3058d
Opcode Fuzzy Hash: 56e43ba726386440e61d61c2da8ce96fd8ead019cea4ee2bd850b0dc43223f9c
Instruction Fuzzy Hash: C52128B1604244DFDB11DF94D9C0B26BF69FB8832CF24C5A9EA454BA0AC336D855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0136D400, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251552137.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d576869a6b3e13e67fb30454b409d944eb94736647320b18f5bfefc7410c5981
Instruction ID: d92e7a344d8f403fbcc47c2d542cc24db126c6616d812ea7bdb04381ee2c4b28
Opcode Fuzzy Hash: d576869a6b3e13e67fb30454b409d944eb94736647320b18f5bfefc7410c5981
Instruction Fuzzy Hash: 24213671604204DFCB12DF54D9C0B66BF69FB88328F24C5A8E9455B20ECB36EC46CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251562451.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e0b8821916ee9e9c9a9dafadf575ee34eb6be5c4e5262ed2aed086ace47fd0
Instruction ID: a378b4a3f6705a77f3f43d64f54d3601642ad61d95000e9ac01fe24e447cfeec
Opcode Fuzzy Hash: 77e0b8821916ee9e9c9a9dafadf575ee34eb6be5c4e5262ed2aed086ace47fd0
Instruction Fuzzy Hash: 12213775504244DFCB22CF64D9C0B26BB65FF88358F24C5ADD9094B646C37AD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0137D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251562451.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3e65149e4c6cad1746524082997a4f146220bd11afd7bde39c330e25f257a8
Instruction ID: aa512a6a9b622bc38b5a6fdf72eae2ae50c54d0bade1716562478209b8ca9228
Opcode Fuzzy Hash: aa3e65149e4c6cad1746524082997a4f146220bd11afd7bde39c330e25f257a8
Instruction Fuzzy Hash: 37218E755093808FCB13CF24D994B15BF71EF46218F28C5EAD8498B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0136D3FB, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251552137.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88a7ec900b8d9d152df82f6a6fdb144c596dfe53c5a765c19d03004c3cb1d32
Instruction ID: 940499cb7c4f35703347daa903a0716ff8c12e6914aae1bb0f0f28bc3b60fb3e
Opcode Fuzzy Hash: b88a7ec900b8d9d152df82f6a6fdb144c596dfe53c5a765c19d03004c3cb1d32
Instruction Fuzzy Hash: 8B11D376504280CFCB12CF54D5C4B56BF71FB84324F28C6A9D8485B61BC33AE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0136D4E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251552137.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88a7ec900b8d9d152df82f6a6fdb144c596dfe53c5a765c19d03004c3cb1d32
Instruction ID: 87ae6a026c2b3f12d34ddefaefb87d0defc1ceccb4ded631af8edcbaaf52409c
Opcode Fuzzy Hash: b88a7ec900b8d9d152df82f6a6fdb144c596dfe53c5a765c19d03004c3cb1d32
Instruction Fuzzy Hash: 2111D376504280CFCB12CF54D5C4B16BF72FB88328F28C6A9D9494B61BC336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0136D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251552137.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6613ed10cc63b2ccd58da73f0905e8b7d09258c8822b9fbbf4e534256c21a0fe
Instruction ID: 018e763ac6a1809ab0775ede7163c726cd46c82db27bdcb5cec99281f2db80a5
Opcode Fuzzy Hash: 6613ed10cc63b2ccd58da73f0905e8b7d09258c8822b9fbbf4e534256c21a0fe
Instruction Fuzzy Hash: C4012B716083C49AE7104E66CCC4B66FB9CDF4527CF08C55AEE444B64EC7BD9844CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0136D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251552137.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ed262179a539723be8e5b56def3c9710dab2e29324eb61a92a83bbebbbcd43
Instruction ID: 502a9c6907408c4c309131d11286a42033adc121463e9bf0e62510e5fad5eecc
Opcode Fuzzy Hash: d7ed262179a539723be8e5b56def3c9710dab2e29324eb61a92a83bbebbbcd43
Instruction Fuzzy Hash: 62F0FC715043849EE7108E1ACCC8B62FF9CDB41634F18C45AED480B24BC3B95844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegSvcs.exe PID: 6284 Parent PID: 6236 RegSvcs.exeCOMMON

Executed Functions

Function 015D1FE0, Relevance: 4.3, Strings: 3, Instructions: 510COMMON

Download Yara Rule

Strings

D0!l, xrefs: 015D25D1
D0!l, xrefs: 015D2444
D0!l, xrefs: 015D24D1

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: D0!l$D0!l$D0!l
API String ID: 0-3451108113
Opcode ID: 0143791cab52be0b9d6d3af40176a598548be16b477ac04d6c6d539b80342816
Instruction ID: 9d79c7203b1f7d54790f1a325e258eb404c119053e2238a86ae674b5b48f7089
Opcode Fuzzy Hash: 0143791cab52be0b9d6d3af40176a598548be16b477ac04d6c6d539b80342816
Instruction Fuzzy Hash: 7D127D70A002198FDB24CF69C854BAEBBF6BF88304F148569E95AEB395DF349C45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0162B860, Relevance: 3.3, Strings: 2, Instructions: 831COMMON

Download Yara Rule

Strings

Xc!l, xrefs: 0162C016
Xc!l, xrefs: 0162C00C

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID: Xc!l$Xc!l
API String ID: 0-3756609265
Opcode ID: ea5ea74d38b2411169523652603ffd2455cdf93aecc8a5132ff94724f3384497
Instruction ID: a2465bcb56c546732da17b96069a0c13baec0246d2e73d15491c4f07ed0a4ecc
Opcode Fuzzy Hash: ea5ea74d38b2411169523652603ffd2455cdf93aecc8a5132ff94724f3384497
Instruction Fuzzy Hash: D752D330B002159FDB24DBA8C854B6EB7F6EF89300F158469E506DB395DB74DC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01625A98, Relevance: 2.9, Instructions: 2929COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411b647d06eb482fe60b8a24eacec30ebe854b526bc3f8fe6a17092b15f48723
Instruction ID: a4770d53a41fc8798f180002f5d61276d9e06c5932eae56594b08b2eaf0b160f
Opcode Fuzzy Hash: 411b647d06eb482fe60b8a24eacec30ebe854b526bc3f8fe6a17092b15f48723
Instruction Fuzzy Hash: 84530B31D10B5A8ECB21EF68CD44699F7B5FF99300F15C69AE4586B221EB30AAC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01691DA0, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01692528

Memory Dump Source

Source File: 00000001.00000002.609845476.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ff16c6076a995d74438fca5ae7cb73cbb471ba4858b5ea0a84a923ee7128ebd5
Instruction ID: 4dde601eeb4612e86b0c0c5428aa256e4b821cf1cb8c6c886932ca628f697455
Opcode Fuzzy Hash: ff16c6076a995d74438fca5ae7cb73cbb471ba4858b5ea0a84a923ee7128ebd5
Instruction Fuzzy Hash: D6621871E006198FCB24EF78C95469DB7F6AF89300F1185A9D54AAB354EF30AE85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01733908, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610142281.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e420539265e22c18841f5d0c8d44756c70d3dc6d3d9bc2c9c4c6ad36a472bf
Instruction ID: acc30a505463efa52c676e1d2dc462c9c751d3d98def6aecfcb1f3671ff54144
Opcode Fuzzy Hash: 82e420539265e22c18841f5d0c8d44756c70d3dc6d3d9bc2c9c4c6ad36a472bf
Instruction Fuzzy Hash: 5EF14C30A00209CFDB24DFA9C888B9DFBF1FF88314F158559E509AF2A6DB74A945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 015DE7D0, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015DE811

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 168c22a1cb97d44fe05ebf8331528467d4c0a870a2aa4a873087c89c82ffb1b5
Instruction ID: 730212a789b6caa4498720656e5d97dbf865706a9131d8f0d307dc1d460aa2a7
Opcode Fuzzy Hash: 168c22a1cb97d44fe05ebf8331528467d4c0a870a2aa4a873087c89c82ffb1b5
Instruction Fuzzy Hash: 1A613A30E11205DBDB24EFB8D4997AEBBF2FF88315F108828E506AB354DB749949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01620040, Relevance: .8, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c45455ab9f455063d65a495d7d4d92d76e926af09e6e3f9b3cabf7bf1e6bbe1
Instruction ID: ede4da3f5eb85bbc1ca5e11609e21be23370a8b54240ad6da5ccb7a04c673faf
Opcode Fuzzy Hash: 3c45455ab9f455063d65a495d7d4d92d76e926af09e6e3f9b3cabf7bf1e6bbe1
Instruction Fuzzy Hash: 93726D34A002158FCB24EB74D898BADBBB7AF88314F1485A9E50AEB744DF359C45CF52

Uniqueness

Uniqueness Score: -1.00%

Function 01620022, Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4078104573d6249442e39470dc900d10ce4b31f338e1fb8daf0d3d77a9ca093f
Instruction ID: 4a59a1e005a495949c838db9583f1cd47d648cb4f301ad3805b84ee22efbfc19
Opcode Fuzzy Hash: 4078104573d6249442e39470dc900d10ce4b31f338e1fb8daf0d3d77a9ca093f
Instruction Fuzzy Hash: 6A625C74A002258FCB24EB74D898BADBBB7BF88314F1485A9E50AAB744DF349C458F51

Uniqueness

Uniqueness Score: -1.00%

Function 015DD7E0, Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83aefb6aaba2fca9e40b7827a291471a129c1f60fbce94f59e45e7cd5a896c3
Instruction ID: ea57042bd0e2e8ce2e5638fa25f5b26b2eeed2f893e3abea3de019e0deedb0b3
Opcode Fuzzy Hash: b83aefb6aaba2fca9e40b7827a291471a129c1f60fbce94f59e45e7cd5a896c3
Instruction Fuzzy Hash: 73F14C30E002158FCB24DFB8C888A9DBBB2BF88314F258565D915EF395DB75EC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 01690040, Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609845476.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcbd73f3543460e0478298753c0f74c101be3133910c9bb188140c9d8e41e614
Instruction ID: b714cf47da205a4b5a32debddd0e04f10c885e51935fecf1436e41090b0a168a
Opcode Fuzzy Hash: dcbd73f3543460e0478298753c0f74c101be3133910c9bb188140c9d8e41e614
Instruction Fuzzy Hash: 87D17070B002045FDB28EB78C95876EB6EBAFC5714F158428E50AEF384DF799C068792

Uniqueness

Uniqueness Score: -1.00%

Function 015D2764, Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3a330fe6bb2d83d0862d9c52e2805ae0fdd7ddebc5a88cd817b906220500fb
Instruction ID: b780b33cc41ba7e02517b898bebca502352b2cf95b41ec2930ea907d10bb1b66
Opcode Fuzzy Hash: 2a3a330fe6bb2d83d0862d9c52e2805ae0fdd7ddebc5a88cd817b906220500fb
Instruction Fuzzy Hash: E8D11770A00119CFDB25CFADC984AADBBB2FF88350F158069E915AF261D771EC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 033746A0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2429a0f3767fe8408d3036260c0401e02f374198c99625d211932ec4b38a6f65
Instruction ID: 2e119bad228ce3bc69d17c560d4b0ebb93f9bb350dbbdae1036b19aa5d2cf455
Opcode Fuzzy Hash: 2429a0f3767fe8408d3036260c0401e02f374198c99625d211932ec4b38a6f65
Instruction Fuzzy Hash: 4B12A3B04357498BE318CF65E88E18D3FA1F745719F504208FA652BAE1DFB9A18ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 01621C70, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfae03da820d9e3925a2721058953c2ada1739c126c3f3b51cfef9077205f668
Instruction ID: 64f7d88799050fd0dc72cc00655fbe14542680ac4de806572a5b01e4be409eef
Opcode Fuzzy Hash: dfae03da820d9e3925a2721058953c2ada1739c126c3f3b51cfef9077205f668
Instruction Fuzzy Hash: DC91C230B002159FDB14EBB9DC59BAE76E7AF88314F148828EA06DB384DF34DD058B91

Uniqueness

Uniqueness Score: -1.00%

Function 03374690, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929cca017ebc4c36f34b6c6c2e7883dbd2239f786f29f051c6f2fa0c831a2821
Instruction ID: cd96bebff648eed85a4277e80ae72c41bda85658906ed479a20be361932126cb
Opcode Fuzzy Hash: 929cca017ebc4c36f34b6c6c2e7883dbd2239f786f29f051c6f2fa0c831a2821
Instruction Fuzzy Hash: D6C1E8B18347498AD718CF64E84E19D7FA1FB85318F504218F9652BAE1DFB9B08ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 03374673, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6436ddfef5c6d59c83bfc208b5ff8bd2e0953c0268387a21999e1d34e3a131
Instruction ID: b39026cb3274b9a3017a2383f3940debad7f8bcbd08b7f9a188d0441c9ff7012
Opcode Fuzzy Hash: 3d6436ddfef5c6d59c83bfc208b5ff8bd2e0953c0268387a21999e1d34e3a131
Instruction Fuzzy Hash: 9BB1D7B08347498BE718CF65E84E18D7FA1F745718F144218FA652BAE1DBB9B08ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 03376940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 033769A0
GetCurrentThread.KERNEL32 ref: 033769DD
GetCurrentProcess.KERNEL32 ref: 03376A1A
GetCurrentThreadId.KERNEL32 ref: 03376A73

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cfffc409d507e8a2bea895449604e61ef1f9a3f663e1d3ef9718133f7613648c
Instruction ID: 3afa34106639a4fa33fe366e3a7f281bb244c4e57adfbc067c21132efcd08f81
Opcode Fuzzy Hash: cfffc409d507e8a2bea895449604e61ef1f9a3f663e1d3ef9718133f7613648c
Instruction Fuzzy Hash: 205157B49006498FDB24CFA9D589BDEFBF0EF88314F248459E419A7360DB74A844CF61

Uniqueness

Uniqueness Score: -1.00%

Function 016214F0, Relevance: 5.2, Strings: 4, Instructions: 244COMMON

Download Yara Rule

Strings

\, xrefs: 0162172E
\, xrefs: 016216F3
\, xrefs: 01621639
\, xrefs: 01621569

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID: \$\$\$\
API String ID: 0-3238275731
Opcode ID: 4337f8c2c2e55a77087fad8ffabefc99c21e4587f2bd44da3e48824830064d19
Instruction ID: 41193c7821d21626b1d7179c7a3202275352225de8b76b78d332493fb636d57a
Opcode Fuzzy Hash: 4337f8c2c2e55a77087fad8ffabefc99c21e4587f2bd44da3e48824830064d19
Instruction Fuzzy Hash: 25811671B086208BDB24DB388C407BE76E6AB86314F198569C516DB7C1EF78DC468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01622DE8, Relevance: 2.0, Strings: 1, Instructions: 799COMMON

Download Yara Rule

Strings

7, xrefs: 016237C8

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 0ebf123d7b4b354f2ce9f4dfc3d55140293e0368bd5297b8ac5d80c1ef450740
Instruction ID: c81759789407c31ee029f1704d0b8f1a4419b3926fa80c395781e652a42d4fef
Opcode Fuzzy Hash: 0ebf123d7b4b354f2ce9f4dfc3d55140293e0368bd5297b8ac5d80c1ef450740
Instruction Fuzzy Hash: 69527930B007158FDB14EBB8D8586AEBBF2BF89304F148469D909DB395DB399D06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 016916A8, Relevance: 2.0, APIs: 1, Instructions: 485libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01691B6F

Memory Dump Source

Source File: 00000001.00000002.609845476.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7dd0ffea9ba501ac948f589a646f5795a675f1d788254af9c5f42c848f09f339
Instruction ID: dcd0156d52ce6f41fe76aa3e0a4ad3b5076c8667adb4be779f2addaf270be4ba
Opcode Fuzzy Hash: 7dd0ffea9ba501ac948f589a646f5795a675f1d788254af9c5f42c848f09f339
Instruction Fuzzy Hash: C2028030E002068FDF24DB68C9847ADB7F6FB46320F648966E515EB395DB34DC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 015DD2E0, Relevance: 1.6, APIs: 1, Instructions: 130registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 015DD3F9

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f813fdf5c1f21dfc9ad3acb5dcc5f59f701f0b6b23e5fa0555e905b814422980
Instruction ID: 7c510609b04b01ccecd8dadf051b43832e39f8825bc7b84ae8b6af3add22a136
Opcode Fuzzy Hash: f813fdf5c1f21dfc9ad3acb5dcc5f59f701f0b6b23e5fa0555e905b814422980
Instruction Fuzzy Hash: 694122B5E00359DFCB21CFA9C884ADEBBF1BB48310F15856AE818AB350D774A805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03375090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 033751A2

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6d3c3453dd94440128ece948e241ada81c30bd86099c0a3c1b7b1cb4952c9154
Instruction ID: 5ff3ae4cf916137e49f666b01fde29209976be7d24b69239b17a444431404816
Opcode Fuzzy Hash: 6d3c3453dd94440128ece948e241ada81c30bd86099c0a3c1b7b1cb4952c9154
Instruction Fuzzy Hash: 1D41CEB1D103499FDF24CF99C884ADEFBB5BF49314F64852AE819AB210D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015DD028, Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 015DD13C

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1a409d63f5d5bd6142a755d08b66d2111e4510faf58317706e86bfd7a4c7f8e5
Instruction ID: 1b089c8388b79cf635468c0abc7642891e163d74aad23a78dd0f97d240cd1218
Opcode Fuzzy Hash: 1a409d63f5d5bd6142a755d08b66d2111e4510faf58317706e86bfd7a4c7f8e5
Instruction Fuzzy Hash: 644146B0D043498FDB24CFA8C588A9EFBF5BF88304F24856AD408AB381D7799845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0337779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 03377F09

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1cba471eb0b0f11915c5c00cb76d4f53f99c1398881149cbc487d82b60976a08
Instruction ID: 688c42b6cd0eafdf9857b854efc7d38f02654e43c0589a9042278cfe0661d4c5
Opcode Fuzzy Hash: 1cba471eb0b0f11915c5c00cb76d4f53f99c1398881149cbc487d82b60976a08
Instruction Fuzzy Hash: 07414FB9910305CFDB14CF55C488AAABBF5FF88314F158999E519A7720D774E841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 015DE770, Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015DE811

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3a65c8c0ade77e4fc33c0d88ac8857f1956ae905182b06ad7d11320662a95a0
Instruction ID: ae84757a8cb0df10f5e202c319ba0db0fc1ac0b16c59e672b0bc64273a358f31
Opcode Fuzzy Hash: a3a65c8c0ade77e4fc33c0d88ac8857f1956ae905182b06ad7d11320662a95a0
Instruction Fuzzy Hash: 8A31AC30A04385DFCB25DFB8D88AA9D7BB1FB85300F158469D401AF392DB789C45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 015DB78C, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 015DD3F9

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f496122da4008c9752281e80385e0519d1b7385945e21aa21f59ddc8de10d418
Instruction ID: 697e9278ca9816245e93c2b274a390a069792b827f6cee42b1ec9759ad790f81
Opcode Fuzzy Hash: f496122da4008c9752281e80385e0519d1b7385945e21aa21f59ddc8de10d418
Instruction Fuzzy Hash: 2B31DDB1D002589BCB20CF9AC984ADEBBF5BB48314F55842AE819BB350D7B4A905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015DB780, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 015DD13C

Memory Dump Source

Source File: 00000001.00000002.609495723.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5ad51201856a46f9902411ac767a92029143fb5a8b877f3f6ca785bef75f83ff
Instruction ID: 383a8cbf280fb2bf3d7be034893d9e66c3c0382e3263bba03124d43e1a3cd806
Opcode Fuzzy Hash: 5ad51201856a46f9902411ac767a92029143fb5a8b877f3f6ca785bef75f83ff
Instruction Fuzzy Hash: D331E1B09002499FDB24CFA9C584A8EFBF5BF48304F24856AE409AB344D7B59845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03376B63, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03376BEF

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5f954c65cfd2be28bbd445ba47c3f432d54a9a6e79a6ffa83554f7744bd6f12
Instruction ID: c53da16994a008b2d5d4cb8c00bd43cee1cb000181f7265934e5abfd56d22bd0
Opcode Fuzzy Hash: a5f954c65cfd2be28bbd445ba47c3f432d54a9a6e79a6ffa83554f7744bd6f12
Instruction Fuzzy Hash: D021B3B59002499FDB10CFA9D985ADEFBF8EB48324F14841AE954A3310D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03376B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03376BEF

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b0f241431c38c653a8b6a6d6260c71f4fde42884a686f9b108e6d0083119edff
Instruction ID: 9c1776a3b666f510d48e9d23f44d5ffdaf48ab657f6330b374069a8c862de253
Opcode Fuzzy Hash: b0f241431c38c653a8b6a6d6260c71f4fde42884a686f9b108e6d0083119edff
Instruction Fuzzy Hash: 3821C2B5900249DFDB10CFAAD984ADEFBF8EB48324F14841AE954A3310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016966F7, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0169668A), ref: 01696777

Memory Dump Source

Source File: 00000001.00000002.609845476.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f3a631f1a4b0890cee3f623d77b7479681d2bc141fafe86f94d24f3c9e82b5b3
Instruction ID: 4cf57409823264c282c633fdc1d52a5cb7a0b6cefb0b2daaf589014e3e5eee48
Opcode Fuzzy Hash: f3a631f1a4b0890cee3f623d77b7479681d2bc141fafe86f94d24f3c9e82b5b3
Instruction Fuzzy Hash: 3C2144B1C046598FCB10CFAAC484B9EFBB4BF48324F05816AD928B7240D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016955AC, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0169668A), ref: 01696777

Memory Dump Source

Source File: 00000001.00000002.609845476.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: dde0c7cdfa830c69be7d14c8b46b4ce20a230cf295c4304e415724e9389bc895
Instruction ID: 0b8b5fd6bbea0db74e2f695cbe811248b25544c027bbe2cb26400b6beed7bd34
Opcode Fuzzy Hash: dde0c7cdfa830c69be7d14c8b46b4ce20a230cf295c4304e415724e9389bc895
Instruction Fuzzy Hash: D31117B1C046199BCB10CF9AC4847EEFBF4EB48324F15856AD518B7240D778A945CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0337BE08, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0337BE82

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 331c8a2e9c0704d81a1980e3e980ec91f69e6cfc4760609f1483d330fc4f6b0c
Instruction ID: 7483b24ae570f6af324e5435026b4c50ef0d1d625e1a3473587be0a9f30aff14
Opcode Fuzzy Hash: 331c8a2e9c0704d81a1980e3e980ec91f69e6cfc4760609f1483d330fc4f6b0c
Instruction Fuzzy Hash: 921189709103448FCB20DFA9D94878EBFF4FB49325F14846AE804A7B00D77A6904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03373300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 03374116

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a5cead4ec905a071c6bd0d29fd07a90369e190943febb6ab0455ea5d449bebd1
Instruction ID: 0e1795aa575d4e7c93bb2650faebee24094665b895332b040ee002555a7782f7
Opcode Fuzzy Hash: a5cead4ec905a071c6bd0d29fd07a90369e190943febb6ab0455ea5d449bebd1
Instruction Fuzzy Hash: 711134B5C003498FCB20DF9AC888BDEFBF4EB49214F14841AD829B7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 033740AB, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 03374116

Memory Dump Source

Source File: 00000001.00000002.610721941.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ab35be2803cf5a59a7c3fcd6d38f1815e55decb02b2128f9d234973c8817e893
Instruction ID: acd752734b7b030e7be686c9059f7adce63a644b6ad77509a9ac03b2f3ac38de
Opcode Fuzzy Hash: ab35be2803cf5a59a7c3fcd6d38f1815e55decb02b2128f9d234973c8817e893
Instruction Fuzzy Hash: 761104B6C002498FCB20CF9AC888BDEFBF4EB49214F15841AD419B7600D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01732770, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 01733745

Memory Dump Source

Source File: 00000001.00000002.610142281.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: faa70253b62400a44e5ed40d80cfb970831c90d90366291ada2897deecf49d6e
Instruction ID: 166a6ae3b221c18511fa241ef041deb0709292523e63ab7f08b9a9c8360b6956
Opcode Fuzzy Hash: faa70253b62400a44e5ed40d80cfb970831c90d90366291ada2897deecf49d6e
Instruction Fuzzy Hash: 421103B5904648CFDB20DF99D488BDEFBF4EB48324F10845AD519B7600D3B8A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017336E9, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 01733745

Memory Dump Source

Source File: 00000001.00000002.610142281.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ac18a70dfb28281aa31630433b91a55c610056e0b09794963a8dc34d5cb291a6
Instruction ID: 473a697cbf9c44af81c6772cbe83157654a282eb49abd5c43e47a0d289a8ba62
Opcode Fuzzy Hash: ac18a70dfb28281aa31630433b91a55c610056e0b09794963a8dc34d5cb291a6
Instruction Fuzzy Hash: D41142B5800248CFCB20CF99D588BDEFBF4AB48328F20881AD559B3701D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01621603, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

\, xrefs: 01621639

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: f32f05fc20ead4155213b3da6d656f64db3b8b20057125c075998d54c3d248b2
Instruction ID: d919e7bca178bb97ac63702a631355d8569c8f9eb258efe0ee03483d2c8a9c29
Opcode Fuzzy Hash: f32f05fc20ead4155213b3da6d656f64db3b8b20057125c075998d54c3d248b2
Instruction Fuzzy Hash: 7D31C231B086208FCB259F78884077E7BE2EFCA254F198169C905DB785EB78DC078B90

Uniqueness

Uniqueness Score: -1.00%

Function 01620CB3, Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb8e4ea206322930152a63657a3eb8f9acd5c15458a04959c130831c1e43bc6
Instruction ID: 10ad069f47e35d7e13336b4d4c269e9d391e55d4f5e388999688693551445d58
Opcode Fuzzy Hash: 7eb8e4ea206322930152a63657a3eb8f9acd5c15458a04959c130831c1e43bc6
Instruction Fuzzy Hash: 9012C130A4D7858FD3469B788C586667BF69B87304F1A80F6E548CF7A3D638DC0A8752

Uniqueness

Uniqueness Score: -1.00%

Function 016224D8, Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b2a981504eb9c6e9177b09d31d5ab22da52a276187c63f7aaa5be54d6e083f
Instruction ID: de5b9e04ce18793c15b38234b8954a6a7c118c054006c9c2c750997830e8e79a
Opcode Fuzzy Hash: a3b2a981504eb9c6e9177b09d31d5ab22da52a276187c63f7aaa5be54d6e083f
Instruction Fuzzy Hash: BC129930B042119FDB10AB74DC5CB6EBBA2AB84325F248669E916DB3D8EF359C05CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01623D90, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0309fc67bae0b8c768f747f76ec1547614d47b7ec9312d2d900240b9d93b9407
Instruction ID: a944d3233fd330d87471d6dad29ef9b8058b6b9c66f2e5daeb839358733f42cb
Opcode Fuzzy Hash: 0309fc67bae0b8c768f747f76ec1547614d47b7ec9312d2d900240b9d93b9407
Instruction Fuzzy Hash: 45C18E30B002168FDB15DB78C854AADB7B2AF89304F2184AAD449EB355DF39DD4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 01628B54, Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f355d4d1fd86984c5aabad34a7287fb4ed93dc4b7301e6f25b0314f913aabf27
Instruction ID: 6e746b0e15f10f6e2ae99688ffbc6ee03e14c2b36ee658fdc34855a7527bb8f3
Opcode Fuzzy Hash: f355d4d1fd86984c5aabad34a7287fb4ed93dc4b7301e6f25b0314f913aabf27
Instruction Fuzzy Hash: 48B10731B00A168BDB15CB68CC447AEFBEAEF85324F188529D559EB785CB38D840CF51

Uniqueness

Uniqueness Score: -1.00%

Function 016257D8, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3901447bbb533563d6db6b912614c2a43433bf9e252a79203dda710c3363f62
Instruction ID: d11edc9c58016b32bf8bb14ac479bb03a160f739b141c96e697f8820ffd32f04
Opcode Fuzzy Hash: a3901447bbb533563d6db6b912614c2a43433bf9e252a79203dda710c3363f62
Instruction Fuzzy Hash: F771E770F003518FDB24CB29C8497DDBBA6AF85314F24C16AD94A9F399D772CC458B92

Uniqueness

Uniqueness Score: -1.00%

Function 01624300, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7891927821b46aea8302d244bee3f896a16a569e5558135408ae9e5521042dee
Instruction ID: c2702ecf4da5f8ee4768f9d33ca865809bee5209a0bc3fb6b39b9cbf87ca5832
Opcode Fuzzy Hash: 7891927821b46aea8302d244bee3f896a16a569e5558135408ae9e5521042dee
Instruction Fuzzy Hash: 80510F71F042158FEB249B79C8543AE7BF2AF85314F19806AE608DB381DF799C45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01621238, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9310236caffac793c8cb5dad8d0b7db8f9ea2ed41c48de84523cf585083e1f3a
Instruction ID: 62ac1ac002af43f9820983c45479799f715dcbea6e909d305271ff9bde168b77
Opcode Fuzzy Hash: 9310236caffac793c8cb5dad8d0b7db8f9ea2ed41c48de84523cf585083e1f3a
Instruction Fuzzy Hash: A2412D30F002159FCF50AFB8E84C59EBBF6EF89225B508829E50AE7348DF749D058B91

Uniqueness

Uniqueness Score: -1.00%

Function 01623200, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432399f5e6879bf1ba242cc8204e7ee0cb83028c02ee9f35819dc4a58f1d75fd
Instruction ID: de55961fd4f3774dd082d14c4849fd4076e2ad7c64b29cb4ce00912ea5fa7135
Opcode Fuzzy Hash: 432399f5e6879bf1ba242cc8204e7ee0cb83028c02ee9f35819dc4a58f1d75fd
Instruction Fuzzy Hash: 3A314F74F002159FCB58EBB8985865EB7E3AFC9210B108578D50ADB358EF39DC068BC1

Uniqueness

Uniqueness Score: -1.00%

Function 01625248, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efbb98346980d40bb0930857ed3bc3e5c8f4f46fbb6de2dc551b0c75b633212
Instruction ID: 247e7c4dbf868f5609f469a52778e3571fa679a4eadbce43815453b7dff24ef0
Opcode Fuzzy Hash: 0efbb98346980d40bb0930857ed3bc3e5c8f4f46fbb6de2dc551b0c75b633212
Instruction Fuzzy Hash: 0C31B431F002158FDF24ABB898486AE76F6EF89250F118069DA06EB344EF74DD418FE1

Uniqueness

Uniqueness Score: -1.00%

Function 01622C6A, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df519796453cf88517c8a112399d731bcf6c0306a7a3ef7a8f0bc565d032fa4
Instruction ID: fd9b8b0019ec3adfbef1c3af02ecae80c99115831d064b5cd6c96755f1c676bf
Opcode Fuzzy Hash: 2df519796453cf88517c8a112399d731bcf6c0306a7a3ef7a8f0bc565d032fa4
Instruction Fuzzy Hash: 5631C130B043568FC755DB7CC8546EE7BF2BB89310B0584AED44ADB351EB349C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0177D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610288087.000000000177D000.00000040.00000001.sdmp, Offset: 0177D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50cac4173dc8617182551e1c233790bee224818fb99d1067f90dce4daa8934d
Instruction ID: 13d7c92469667378186aa7cd2d56a3bd5b1e7be5ddabde880348ee0375e4a05f
Opcode Fuzzy Hash: b50cac4173dc8617182551e1c233790bee224818fb99d1067f90dce4daa8934d
Instruction Fuzzy Hash: B22122B5604240DFCF22CFA4D9C4B26FB65FF88354F24C9ADE9094B246C376D806CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01621C60, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c078f0026d08858951eee3b235d1f62fed564dbafad361dae80d132c52339a
Instruction ID: de62704fd632a0f6b4e19a55c02bae5d9c460b71516f9f9dcdcb0549fa319bd0
Opcode Fuzzy Hash: 63c078f0026d08858951eee3b235d1f62fed564dbafad361dae80d132c52339a
Instruction Fuzzy Hash: DF215071F002158FCB54EFB8D44479EB6E6EB89214B008939D609DBB44EB3499098FD1

Uniqueness

Uniqueness Score: -1.00%

Function 01624168, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325de429c7b3131f4378e9f79ef1cbd24132e48aa5da76070330878b3aa73767
Instruction ID: 6100b90c5679e3bb05e5a2929d0fb5843350f196a48327837eadb0d832547c7d
Opcode Fuzzy Hash: 325de429c7b3131f4378e9f79ef1cbd24132e48aa5da76070330878b3aa73767
Instruction Fuzzy Hash: E521D130F053199FDB01DFA8D454AED7BB6AF8A304F1180A9E104AB392CB759C04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016255F0, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7de50c800ae46e09a02e24adfd2523d8620372a53c6818dcca884cb0b002763
Instruction ID: 4d6c4be846cd301c5d53035a8120701b76ede827c821e16ef5cae78a60d7042d
Opcode Fuzzy Hash: d7de50c800ae46e09a02e24adfd2523d8620372a53c6818dcca884cb0b002763
Instruction Fuzzy Hash: EB11E531B087724FCB3686785C596DA77A19B95260F1581B2D906DF3E2EB24CC074B52

Uniqueness

Uniqueness Score: -1.00%

Function 0177D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.610288087.000000000177D000.00000040.00000001.sdmp, Offset: 0177D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4025d37efdfbce0e093f44a05613069a3d82dc03039e765c907437c890d8199e
Instruction ID: 2df0850d885f3ce5a43b7dc98c744bf1734d408cf8b195840e18dd6281e463f5
Opcode Fuzzy Hash: 4025d37efdfbce0e093f44a05613069a3d82dc03039e765c907437c890d8199e
Instruction Fuzzy Hash: 3E11BB75504280CFCB22CF54D5D4B15FBA1FB88324F28C6AAD8094B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01625530, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af61d6a737a09ec37b2182ee5a96ac6dbce0f82583b23350a704489caf45f768
Instruction ID: 5161bd51773220ae560bcfa81029e244733e371a70a03d912257a133fdfb4feb
Opcode Fuzzy Hash: af61d6a737a09ec37b2182ee5a96ac6dbce0f82583b23350a704489caf45f768
Instruction Fuzzy Hash: 9811FA74F001268F8B54EB7CD844AAEB7F6BB8D211B508429D50AE7354EB74AD058B91

Uniqueness

Uniqueness Score: -1.00%

Function 016237D8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f12df7b5849671f3249e759443818ee83c3225d2ce5bab9d331404bc708c95f
Instruction ID: 84de9a63bab12c22501d9980f86524e77bfbb1b1c59a3e971982c4d6d6a3341b
Opcode Fuzzy Hash: 1f12df7b5849671f3249e759443818ee83c3225d2ce5bab9d331404bc708c95f
Instruction Fuzzy Hash: A1115270F001268F8B54EBBCD8449AEB7F6FBCC211B158429D50AD7354EB749D118BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01625410, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c96768069d1eec32696f92a5f20cc97acb90e1b4441911e82b70d0ce13a319
Instruction ID: e14b8f2f0362c8facd14d015c9e2db57269ae8722e74e7408fb14a920131306f
Opcode Fuzzy Hash: e5c96768069d1eec32696f92a5f20cc97acb90e1b4441911e82b70d0ce13a319
Instruction Fuzzy Hash: 2111FA74F002268F8B54EBBCD845AAEB7F6BB8C211B118429D50AD7344EB74AD058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01622CC8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689ac2798e8b20f379b23882e9434b9364b3ef2b13d3712ae94643bd54fa75cc
Instruction ID: 8a6e19e4e7f57c75ceebc3b0189422e1ef8f3385227e05cede31bad7d339cdb1
Opcode Fuzzy Hash: 689ac2798e8b20f379b23882e9434b9364b3ef2b13d3712ae94643bd54fa75cc
Instruction Fuzzy Hash: BB113031F002258F8B50EBBCD854AAEB7F6FB8D210B548429D50AD7354EB349D028B91

Uniqueness

Uniqueness Score: -1.00%

Function 01624EB0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30581e232ca5195edae008e7eb27c2192792fe6e90a4f7e9f1220fa40e027ec
Instruction ID: 0229acc3a6c7ca2c5a04345a5dc4b1ce3ec9c9f73cc1b38df23b8048afcb3f19
Opcode Fuzzy Hash: b30581e232ca5195edae008e7eb27c2192792fe6e90a4f7e9f1220fa40e027ec
Instruction Fuzzy Hash: 55112A30F001268F8B50EBBCD8849AEB7F6BBCC211B158429D50AD7354EF34AD028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01624235, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3026f8d6ee7f4eea548729d01e577794b093056a2fa616db89b8953a6a2507ac
Instruction ID: 291858f44026f1652364fe34f625b0743bc0180176b3c547346b94a56b887dd0
Opcode Fuzzy Hash: 3026f8d6ee7f4eea548729d01e577794b093056a2fa616db89b8953a6a2507ac
Instruction Fuzzy Hash: C2114870A01219DFCB15CFA9E8946DCBBB2FF8A305F1180A9E101AB351CB729905CF91

Uniqueness

Uniqueness Score: -1.00%

Function 016228A0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7666acc0a0e10d4efe296ca633fe7731f748c4f2276efa6611fcf8133be9ab3f
Instruction ID: 42ee9206f3a940a74b25b94dfca4b2f097354ded05a12d02b5d8db141636dbde
Opcode Fuzzy Hash: 7666acc0a0e10d4efe296ca633fe7731f748c4f2276efa6611fcf8133be9ab3f
Instruction Fuzzy Hash: B1F02831F0022557CF1467B8EC1869E7BA6EBC5220F10453DE906EB388EF319D158BC0

Uniqueness

Uniqueness Score: -1.00%

Function 01625650, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7676e42a9013c9c4a1f610c1ec4508a9a6378957a09ff5dd0bb7029c1758a9c0
Instruction ID: c5d00d9211de97d6875ad9ca20b9019b3491b3a384de6b1842a68c93f56ad47c
Opcode Fuzzy Hash: 7676e42a9013c9c4a1f610c1ec4508a9a6378957a09ff5dd0bb7029c1758a9c0
Instruction Fuzzy Hash: D6F08271F002295F8F60ABBC581869F7AF9EB88260F014435D50AE7344EE348D028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01622D27, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fd6f090e4019cbe08d3b80893587bb0878a6a176501befd0366224f3f94648
Instruction ID: 864f0d521f2dac64b1329f71a71cdb6f3025c2c4d175dce70298dcabe614e370
Opcode Fuzzy Hash: 72fd6f090e4019cbe08d3b80893587bb0878a6a176501befd0366224f3f94648
Instruction Fuzzy Hash: 13E0C935B0012A8B8F24EBBCD8549DDB3E2FBC9221B058069D50AEB354DF389D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 01624F0F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078a6232eb1ca8bd22c597640234b67f2eedd0dd9081781b168d0384cb220c2b
Instruction ID: 99d5b3b3a73eb670362494a7266192abc5349db6db8b1eb52201d01f8b4792d2
Opcode Fuzzy Hash: 078a6232eb1ca8bd22c597640234b67f2eedd0dd9081781b168d0384cb220c2b
Instruction Fuzzy Hash: 38E0ED35B0012A8B8F24FBBCD4589DDB3E2FFCC215B068069D606EB354DE349D018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0162558F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fc825004608413dcca8c9137176a6959eeb27071cb5c4acac9c6ab870d55c5
Instruction ID: 4f9b7d55ad5bbd23840e8eb3c661e65133cd08cceb02f46eed361e1783659786
Opcode Fuzzy Hash: 06fc825004608413dcca8c9137176a6959eeb27071cb5c4acac9c6ab870d55c5
Instruction Fuzzy Hash: 55E0C935B0012A8B8F24EBBCD4549DD73E2FFCC221B118069D606EB354DE349C018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0162546F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bb6ce8a4b977ce75acda601fb605d73c654bb25f8dea3f579d27faccda3065
Instruction ID: 49a7ef9cafbae9ce37910cf1681649bcc79165d212fc3ebc1666df6a7f8a88be
Opcode Fuzzy Hash: a0bb6ce8a4b977ce75acda601fb605d73c654bb25f8dea3f579d27faccda3065
Instruction Fuzzy Hash: 5FE0C935B0012A8B8F24EBBCD8559DDB3E2FBC8211B018069D50AEB354DE349D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 01623837, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b595c65654b86d9ab2fc4b369476a06752b04e3815a7c50a29ae62180a2a8a3d
Instruction ID: 13629b419dd203b02b91be4055643198bc6cf33d14a721e4463e0d039117b030
Opcode Fuzzy Hash: b595c65654b86d9ab2fc4b369476a06752b04e3815a7c50a29ae62180a2a8a3d
Instruction Fuzzy Hash: 48E0C035B0011A4B8F14E7BCD85559D73E2FBDC215B054069D505DB354DE389D118B91

Uniqueness

Uniqueness Score: -1.00%

Function 01621794, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c4421f8be6559507965ea410472386e502811dacbd7955489879543c1fec83
Instruction ID: 6c5e360e4602250b98b2dac57aa8611fac4175f18d276a440c253190c8f060c5
Opcode Fuzzy Hash: 65c4421f8be6559507965ea410472386e502811dacbd7955489879543c1fec83
Instruction Fuzzy Hash: 82D0220070C3368A4F0805B6191023F00CB1AC008AB014C3BCA02CE2D8FF0CCA801353

Uniqueness

Uniqueness Score: -1.00%

Function 0162FE05, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a54ec8b1e78100b48bad399385d70e0500a3693b5f10abd846d27ba12caa96
Instruction ID: 2232a8f0a112a32427a8be01a8331bf33d2549c20fa26f7cd845a193aeb39d41
Opcode Fuzzy Hash: f2a54ec8b1e78100b48bad399385d70e0500a3693b5f10abd846d27ba12caa96
Instruction Fuzzy Hash: BEB012333004004F9308E604C810B5ED693ABF8204718C114406543320D730E9084211

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0162CA28, Relevance: 1.8, Instructions: 1797COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609655598.0000000001620000.00000040.00000001.sdmp, Offset: 01620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff32262870d8db92fcc28d8c478018a44078e02c1677574d7672f6906db16aeb
Instruction ID: 38c7f3c95d58fb4bb232c6d8908d158f55d13e1500f302bd5af02b310ff25c86
Opcode Fuzzy Hash: ff32262870d8db92fcc28d8c478018a44078e02c1677574d7672f6906db16aeb
Instruction Fuzzy Hash: 65131D70D10A2A8ECB14EF68C8846DDF7B1BF99304F15C6A9D459AB211EB70AAC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01693FF0, Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609845476.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d702e97dc7e70054f5a12fa5d9ca4f9165b2762454d0facb09491445c634ab3b
Instruction ID: d3c5e59af05cf8a997bb13a5cb05adc6b4906c61b193b1d5cb9b9f376b14e3b2
Opcode Fuzzy Hash: d702e97dc7e70054f5a12fa5d9ca4f9165b2762454d0facb09491445c634ab3b
Instruction Fuzzy Hash: 52025A30A00229CFDB24EBB8C9547AEB7B6BF88314F1180A9D50ADB745DF349D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0169D0CC, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.609845476.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb11c3f52319abffbc6fb842b358c0fe009a72eb297451ecb9e4c11ef9fb35f
Instruction ID: 0178d8a075ab1ae8ae72e58b92a60d13ecca5ed8ff435fc6e476620ce04ba5a9
Opcode Fuzzy Hash: 0cb11c3f52319abffbc6fb842b358c0fe009a72eb297451ecb9e4c11ef9fb35f
Instruction Fuzzy Hash: 60A17D36E1021A8FCF05DFB5CC845DDBBB6FF85301B1685AAE905EB221DB31A955CB80

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 30714756.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

CPU Usage

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre