Loading ...

Play interactive tourEdit tour

Analysis Report New PO #0164522433 JAN 2021.exe

Overview

General Information

Sample Name:New PO #0164522433 JAN 2021.exe
Analysis ID:339371
MD5:1cbe8e5ddca661fc3239ffcb3b44b1db
SHA1:1cc2dd369304b5ad81113b06cf7f73c75226cc4e
SHA256:8ca38b4cf8849e7b7d18cc8afdae915c4dedc2f5aaca4b9a4fd57bdfd5e25a25
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.618884067.00000000033E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: New PO #0164522433 JAN 2021.exeVirustotal: Detection: 39%Perma Link
              Source: New PO #0164522433 JAN 2021.exeReversingLabs: Detection: 15%
              Machine Learning detection for sampleShow sources
              Source: New PO #0164522433 JAN 2021.exeJoe Sandbox ML: detected
              Source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://mWLzHd.com
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: New PO #0164522433 JAN 2021.exeString found in binary or memory: http://tempuri.org/_391backDataSet.xsd
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618697950.00000000033B8000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b79DC2F01u002dFAFFu002d4FF0u002dBA64u002dE3D4296BD410u007d/AACAB8EDu002d2C83u002d4858u002d8795u002dEEDB395CF94A.csLarge array initialization: .cctor: array initializer size 11780
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0254C2B00_2_0254C2B0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0254F71F0_2_0254F71F
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0254F7200_2_0254F720
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_025499680_2_02549968
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0033283A0_2_0033283A
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_014F46A04_2_014F46A0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_014F45D04_2_014F45D0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C94F84_2_064C94F8
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C75404_2_064C7540
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C69284_2_064C6928
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C6C704_2_064C6C70
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064CF9794_2_064CF979
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D3283A4_2_00D3283A
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: OriginalFilename vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.268791635.00000000059D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.260948979.000000000038E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVariant.exe: vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDEBppvHXdgcoxrhnKZalEBYtvqYaM.exe4 vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: OriginalFilename vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000000.259895284.0000000000D8E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVariant.exe: vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.615294523.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameDEBppvHXdgcoxrhnKZalEBYtvqYaM.exe4 vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.616795158.0000000001508000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.615692206.0000000000FC8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: OriginalFilenameVariant.exe: vs New PO #0164522433 JAN 2021.exe
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/1@0/0
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO #0164522433 JAN 2021.exe.logJump to behavior
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Customer] SET [Address] = @Address, [Postal_Code] = @Postal_Code, [Country] = @Country, [C_ID] = @C_ID, [C_City] = @C_City, [C_Phone] = @C_Phone WHERE (((@IsNull_Address = 1 AND [Address] IS NULL) OR ([Address] = @Original_Address)) AND ((@IsNull_Postal_Code = 1 AND [Postal_Code] IS NULL) OR ([Postal_Code] = @Original_Postal_Code)) AND ((@IsNull_Country = 1 AND [Country] IS NULL) OR ([Country] = @Original_Country)) AND ([C_ID] = @Original_C_ID) AND ((@IsNull_C_City = 1 AND [C_City] IS NULL) OR ([C_City] = @Original_C_City)) AND ((@IsNull_C_Phone = 1 AND [C_Phone] IS NULL) OR ([C_Phone] = @Original_C_Phone)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Invoice] ([C_ID], [INV_ID], [M_ID], [Services_Cost], [Inv_Date], [Electr_Cost], [Water_Cost], [Total_Cost]) VALUES (@C_ID, @INV_ID, @M_ID, @Services_Cost, @Inv_Date, @Electr_Cost, @Water_Cost, @Total_Cost);
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Payment_Method] ([M_ID], [Method]) VALUES (@M_ID, @Method);
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: INSERT INTO [dbo].[Room_Type] ([TYPE_ID], [Name], [Description]) VALUES (@TYPE_ID, @Name, @Description); SELECT TYPE_ID, Name, Des
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: INSERT INTO [dbo].[Payment_Method] ([M_ID], [Method]) VALUES (@M_ID, @Method); SELECT M_ID, Method FROM Payment_Method WHERE (M_ID
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Services] ([Price], [Name], [Description], [Serv_Date], [S_ID]) VALUES (@Price, @Name, @Description, @Serv_Date, @S_ID);
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Customer] ([Address], [Postal_Code], [Country], [C_ID], [C_City], [C_Phone]) VALUES (@Address, @Postal_Code, @Country, @C_ID, @C_City, @C_Phone);
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Invoice] SET [C_ID] = @C_ID, [INV_ID] = @INV_ID, [M_ID] = @M_ID, [Services_Cost] = @Services_Cost, [Inv_Date] = @Inv_Date, [Electr_Cost] = @Electr_Cost, [Water_Cost] = @Water_Cost, [Total_Cost] = @Total_Cost WHERE (((@IsNull_C_ID = 1 AND [C_ID] IS NULL) OR ([C_ID] = @Original_C_ID)) AND ([INV_ID] = @Original_INV_ID) AND ((@IsNull_M_ID = 1 AND [M_ID] IS NULL) OR ([M_ID] = @Original_M_ID)) AND ((@IsNull_Services_Cost = 1 AND [Services_Cost] IS NULL) OR ([Services_Cost] = @Original_Services_Cost)) AND ((@IsNull_Inv_Date = 1 AND [Inv_Date] IS NULL) OR ([Inv_Date] = @Original_Inv_Date)) AND ((@IsNull_Electr_Cost = 1 AND [Electr_Cost] IS NULL) OR ([Electr_Cost] = @Original_Electr_Cost)) AND ((@IsNull_Water_Cost = 1 AND [Water_Cost] IS NULL) OR ([Water_Cost] = @Original_Water_Cost)) AND ((@IsNull_Total_Cost = 1 AND [Total_Cost] IS NULL) OR ([Total_Cost] = @Original_Total_Cost)));
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: INSERT INTO [dbo].[Person] ([First_Name], [Last_Name], [SIN]) VALUES (@First_Name, @Last_Name, @SIN); SELECT First_Name, Last_Name
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Person] SET [First_Name] = @First_Name, [Last_Name] = @Last_Name, [SIN] = @SIN WHERE (((@IsNull_First_Name = 1 AND [First_Name] IS NULL) OR ([First_Name] = @Original_First_Name)) AND ((@IsNull_Last_Name = 1 AND [Last_Name] IS NULL) OR ([Last_Name] = @Original_Last_Name)) AND ([SIN] = @Original_SIN));
              Source: New PO #0164522433 JAN 2021.exeBinary or memory string: INSERT INTO [dbo].[Employee] ([E_ID], [Position]) VALUES (@E_ID, @Position); SELECT E_ID, Position FROM Employee WHERE (E_ID = @E_
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Employee] ([E_ID], [Position]) VALUES (@E_ID, @Position);
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Payment_Method] SET [M_ID] = @M_ID, [Method] = @Method WHERE (([M_ID] = @Original_M_ID) AND ((@IsNull_Method = 1 AND [Method] IS NULL) OR ([Method] = @Original_Method)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Rooms] SET [R_ID] = @R_ID, [Price] = @Price, [Smoking_Allowed] = @Smoking_Allowed, [Description] = @Description, [Num_Of_Beds] = @Num_Of_Beds, [Floor] = @Floor WHERE (([R_ID] = @Original_R_ID) AND ((@IsNull_Price = 1 AND [Price] IS NULL) OR ([Price] = @Original_Price)) AND ((@IsNull_Smoking_Allowed = 1 AND [Smoking_Allowed] IS NULL) OR ([Smoking_Allowed] = @Original_Smoking_Allowed)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_Num_Of_Beds = 1 AND [Num_Of_Beds] IS NULL) OR ([Num_Of_Beds] = @Original_Num_Of_Beds)) AND ((@IsNull_Floor = 1 AND [Floor] IS NULL) OR ([Floor] = @Original_Floor)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Room_Type] SET [TYPE_ID] = @TYPE_ID, [Name] = @Name, [Description] = @Description WHERE (([TYPE_ID] = @Original_TYPE_ID) AND ((@IsNull_Name = 1 AND [Name] IS NULL) OR ([Name] = @Original_Name)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Reservation] SET [C_ID] = @C_ID, [Date] = @Date, [RES_ID] = @RES_ID, [R_ID] = @R_ID, [Check_Out_Time] = @Check_Out_Time, [Check_In_Time] = @Check_In_Time WHERE (((@IsNull_C_ID = 1 AND [C_ID] IS NULL) OR ([C_ID] = @Original_C_ID)) AND ((@IsNull_Date = 1 AND [Date] IS NULL) OR ([Date] = @Original_Date)) AND ([RES_ID] = @Original_RES_ID) AND ((@IsNull_R_ID = 1 AND [R_ID] IS NULL) OR ([R_ID] = @Original_R_ID)) AND ((@IsNull_Check_Out_Time = 1 AND [Check_Out_Time] IS NULL) OR ([Check_Out_Time] = @Original_Check_Out_Time)) AND ((@IsNull_Check_In_Time = 1 AND [Check_In_Time] IS NULL) OR ([Check_In_Time] = @Original_Check_In_Time)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Employee] SET [E_ID] = @E_ID, [Position] = @Position WHERE (([E_ID] = @Original_E_ID) AND ((@IsNull_Position = 1 AND [Position] IS NULL) OR ([Position] = @Original_Position)));
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000000.244122360.0000000000322000.00000002.00020000.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000000.259852107.0000000000D22000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Services] SET [Price] = @Price, [Name] = @Name, [Description] = @Description, [Serv_Date] = @Serv_Date, [S_ID] = @S_ID WHERE (((@IsNull_Price = 1 AND [Price] IS NULL) OR ([Price] = @Original_Price)) AND ((@IsNull_Name = 1 AND [Name] IS NULL) OR ([Name] = @Original_Name)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_Serv_Date = 1 AND [Serv_Date] IS NULL) OR ([Serv_Date] = @Original_Serv_Date)) AND ([S_ID] = @Original_S_ID));
              Source: New PO #0164522433 JAN 2021.exeVirustotal: Detection: 39%
              Source: New PO #0164522433 JAN 2021.exeReversingLabs: Detection: 15%
              Source: unknownProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe 'C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: New PO #0164522433 JAN 2021.exeStatic file information: File size 1116160 > 1048576
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10fe00
              Source: New PO #0164522433 JAN 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: New PO #0164522433 JAN 2021.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.New PO #0164522433 JAN 2021.exe.320000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.New PO #0164522433 JAN 2021.exe.320000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.2.New PO #0164522433 JAN 2021.exe.d20000.1.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.0.New PO #0164522433 JAN 2021.exe.d20000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_003314B6 push 73000004h; retf 0_2_00331E2D
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0032DD3E push 6F060001h; iretd 0_2_0032DD52
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0032FB28 push 73000004h; retf 0_2_0032FB55
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_003307D0 push 73000004h; retf 0_2_003307DA
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_0254446B push edi; ret 0_2_02544482
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 0_2_025453D1 push esi; ret 0_2_025453D6
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D314B6 push 73000004h; retf 4_2_00D31E2D
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D2DD3E push 6F060001h; iretd 4_2_00D2DD52
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D307D0 push 73000004h; retf 4_2_00D307DA
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_00D2FB28 push 73000004h; retf 4_2_00D2FB55
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_0141D95C push eax; ret 4_2_0141D95D
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_0141E333 push eax; ret 4_2_0141E349
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064CA61F push es; iretd 4_2_064CA63C
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C8540 push es; ret 4_2_064C8550
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064CF979 push es; retf 4_2_064CFD98
              Source: initial sampleStatic PE information: section name: .text entropy: 7.08708553211
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4392, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWindow / User API: threadDelayed 1032Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWindow / User API: threadDelayed 8813Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 4632Thread sleep time: -53038s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 1236Thread sleep time: -21213755684765971s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 6012Thread sleep count: 1032 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe TID: 6012Thread sleep count: 8813 > 30Jump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: New PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeProcess created: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeJump to behavior
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: New PO #0164522433 JAN 2021.exe, 00000004.00000002.617179977.0000000001B90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeCode function: 4_2_064C5D44 GetUserNameW,4_2_064C5D44
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.618884067.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4400, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4392, type: MEMORY
              Source: Yara matchFile source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4400, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.618884067.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4400, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: New PO #0164522433 JAN 2021.exe PID: 4392, type: MEMORY
              Source: Yara matchFile source: 4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13LSASS MemoryVirtualization/Sandbox Evasion13Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              New PO #0164522433 JAN 2021.exe39%VirustotalBrowse
              New PO #0164522433 JAN 2021.exe15%ReversingLabsWin32.Trojan.Ursu
              New PO #0164522433 JAN 2021.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.2.New PO #0164522433 JAN 2021.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://api.ipify.org%0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://tempuri.org/_391backDataSet.xsd0%Avira URL Cloudsafe
              http://mWLzHd.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://127.0.0.1:HTTP/1.1New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              low
              https://api.ipify.org%GETMozilla/5.0New PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              low
              http://DynDns.comDynDNSNew PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haNew PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew PO #0164522433 JAN 2021.exe, 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmpfalse
                high
                https://api.ipify.org%New PO #0164522433 JAN 2021.exe, 00000004.00000002.618697950.00000000033B8000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipNew PO #0164522433 JAN 2021.exe, 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmp, New PO #0164522433 JAN 2021.exe, 00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://tempuri.org/_391backDataSet.xsdNew PO #0164522433 JAN 2021.exefalse
                • Avira URL Cloud: safe
                unknown
                http://mWLzHd.comNew PO #0164522433 JAN 2021.exe, 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown

                Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:31.0.0 Red Diamond
                Analysis ID:339371
                Start date:13.01.2021
                Start time:21:50:25
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 54s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:New PO #0164522433 JAN 2021.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:29
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal96.troj.spyw.evad.winEXE@3/1@0/0
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 32
                • Number of non-executed functions: 4
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                21:51:30API Interceptor1074x Sleep call for process: New PO #0164522433 JAN 2021.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New PO #0164522433 JAN 2021.exe.log
                Process:C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1314
                Entropy (8bit):5.350128552078965
                Encrypted:false
                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                Malicious:true
                Reputation:high, very likely benign file
                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.082057310434035
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:New PO #0164522433 JAN 2021.exe
                File size:1116160
                MD5:1cbe8e5ddca661fc3239ffcb3b44b1db
                SHA1:1cc2dd369304b5ad81113b06cf7f73c75226cc4e
                SHA256:8ca38b4cf8849e7b7d18cc8afdae915c4dedc2f5aaca4b9a4fd57bdfd5e25a25
                SHA512:df833315d49687c0910e92c0f0cba2eefde3657d42b5b6ae7ab2929187d9857c4d45dbba9c253897a18c835c69b4dc44a58cb63f4a29757d75f4e893a81ad558
                SSDEEP:24576:KoDDbf9KcljDiV8RJKHDdjvv50ph48OlY:KUvf9KcljuVXxrR0H488Y
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P.................. ... ....@.. .......................`............@................................

                File Icon

                Icon Hash:00828e8e8686b000

                Static PE Info

                General

                Entrypoint:0x511d16
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x5FFE8ACE [Wed Jan 13 05:53:18 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v4.0.30319
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x111cc40x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1120000x5fc.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1140000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x10fd1c0x10fe00False0.578503951149data7.08708553211IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rsrc0x1120000x5fc0x600False0.440755208333data4.23150049374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x1140000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_VERSION0x1120900x36adata
                RT_MANIFEST0x11240c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Version Infos

                DescriptionData
                Translation0x0000 0x04b0
                LegalCopyrightCopyright 2015
                Assembly Version5.77.0.0
                InternalNameVariant.exe
                FileVersion5.77.0.0
                CompanyNameIdentityObject LTD
                LegalTrademarks
                CommentsBitConverter
                ProductNameBitConverter
                ProductVersion5.77.0.0
                FileDescriptionBitConverter
                OriginalFilenameVariant.exe

                Network Behavior

                No network behavior found

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:21:51:23
                Start date:13/01/2021
                Path:C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe'
                Imagebase:0x320000
                File size:1116160 bytes
                MD5 hash:1CBE8E5DDCA661FC3239FFCB3B44B1DB
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.263395528.00000000036C9000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.261696881.00000000026C1000.00000004.00000001.sdmp, Author: Joe Security
                Reputation:low

                General

                Start time:21:51:30
                Start date:13/01/2021
                Path:C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\New PO #0164522433 JAN 2021.exe
                Imagebase:0xd20000
                File size:1116160 bytes
                MD5 hash:1CBE8E5DDCA661FC3239FFCB3B44B1DB
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.618884067.00000000033E1000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.614919940.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.618414736.0000000003311000.00000004.00000001.sdmp, Author: Joe Security
                Reputation:low

                Disassembly

                Code Analysis

                Reset < >

                  Executed Functions

                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0254BE0E
                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 5dcd8554470b10d8f4e066e72dcec1e466c0f7f3c1beaf6eff07c8dea9a16879
                  • Instruction ID: b264fbce08b442d2f69de1c18880fde9219682d6c11f16870f9de3872d20a254
                  • Opcode Fuzzy Hash: 5dcd8554470b10d8f4e066e72dcec1e466c0f7f3c1beaf6eff07c8dea9a16879
                  • Instruction Fuzzy Hash: 77813870A00B058FD724DF6AD19576ABBF1FF88208F00892DD49AD7A40DB35E94ACF95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0254DD8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: cc3ec21c7b2a7d0dbeaee451e2e0ee5fd6957c2b03dd01554b6125e1aba668ec
                  • Instruction ID: f7ba11ba1ac6f0f94850649796406a8a4f62ecb434d5f8ef31f18465b7660717
                  • Opcode Fuzzy Hash: cc3ec21c7b2a7d0dbeaee451e2e0ee5fd6957c2b03dd01554b6125e1aba668ec
                  • Instruction Fuzzy Hash: D051C1B1D01309DFDB14CF99C884ADEFBB5BF48314F24852AE819AB210DB749985CF94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0254DD8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 8ec90857592adadff0ad33d92db44453d2471586384a6ff8af5e5e7363b3e4d6
                  • Instruction ID: 3951efbda644f84eb663329da1b24800e899f017f1fc7571fc9479a899da8a9f
                  • Opcode Fuzzy Hash: 8ec90857592adadff0ad33d92db44453d2471586384a6ff8af5e5e7363b3e4d6
                  • Instruction Fuzzy Hash: 7151CEB1D013199FDB14CF99C884ADEFBB1BF88314F24852AE819AB210DB749985CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02546E4F
                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: dc6a7d9373780ed8e28c79df7ee058578f383cc4875c94f68264a8d30f8eb10d
                  • Instruction ID: 6f00691614745204982495cace6c797b33bca438530a99d3fa429811c76ca58e
                  • Opcode Fuzzy Hash: dc6a7d9373780ed8e28c79df7ee058578f383cc4875c94f68264a8d30f8eb10d
                  • Instruction Fuzzy Hash: BA21E4B59002089FDB10CF99D484ADEFBF8FB48324F14841AE924A3310D774A955CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02546E4F
                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 94852f94e1330e9c1cf795f45c09409e9b35858d8c4d9602dc8ad79725c4602e
                  • Instruction ID: 1c504b0104ec2782bd680ebc0e2a71ba5a4f3bc611dfb643d2ddb4256edc2f9e
                  • Opcode Fuzzy Hash: 94852f94e1330e9c1cf795f45c09409e9b35858d8c4d9602dc8ad79725c4602e
                  • Instruction Fuzzy Hash: A121D5B59002089FDB10CF99D584BDEFBF9FB48324F14841AE914A3350D774A954CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0254BE89,00000800,00000000,00000000), ref: 0254C09A
                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: aac76968e16813d275c3209f8ffceb37ad5731f3a4c2434628d9d4e1def40008
                  • Instruction ID: 98893cd2bef6c44f9ccc720bac6276dd824f7f239e542890eca9033d3fa98fc9
                  • Opcode Fuzzy Hash: aac76968e16813d275c3209f8ffceb37ad5731f3a4c2434628d9d4e1def40008
                  • Instruction Fuzzy Hash: 661117B1D012099FCB20CF9AD448BEEFBF4FB88358F04842AD519A7200C775A545CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0254BE89,00000800,00000000,00000000), ref: 0254C09A
                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 68562f62b8c47856fa227cf2db6a9a31de86e46a52a60d95d5cfa4c37c3200bc
                  • Instruction ID: 5a2f18da6b930995362489b4251f1ac068dac9727277e6e9542cb807e02a91fc
                  • Opcode Fuzzy Hash: 68562f62b8c47856fa227cf2db6a9a31de86e46a52a60d95d5cfa4c37c3200bc
                  • Instruction Fuzzy Hash: D411F3B6D012099FDB20CF9AD448BDEFBF4FB88328F15842AD529A7200C775A545CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0254BE0E
                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 6fbf199ef61e6470af5decbb6b3f5385d900ed05cfb26ace368e2cbec84908de
                  • Instruction ID: 6bde455535e495530dbc9483bed30be9f6a1a9e949db41f167284f8a740c305e
                  • Opcode Fuzzy Hash: 6fbf199ef61e6470af5decbb6b3f5385d900ed05cfb26ace368e2cbec84908de
                  • Instruction Fuzzy Hash: 5711E0B5D006498FDB20CF9AC448BDEFBF4EB88228F15846AD929A7600C774A545CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ca1eb7e5ce01cc766d439142a57dbc424eb54913b89060fb0843d5f30e2441d3
                  • Instruction ID: 645b7ccd7c6bcfa819256ce45e2bf8bcd523c2cf1cab6462d0d0e9fae6164bdb
                  • Opcode Fuzzy Hash: ca1eb7e5ce01cc766d439142a57dbc424eb54913b89060fb0843d5f30e2441d3
                  • Instruction Fuzzy Hash: A2528BB19C17068BD320CF1CE58C2997BB1FB4031ABD04A19D2525BAD0E7B565AEEF4C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cbdc3a560f9f0a4fa317cf47d49ba3a5703a36d1973b4c411d4c78c9e1b45492
                  • Instruction ID: 1ec0d67f549cb45f2f17b4d52ea9f41183021054201ec903a41321a73d90d30f
                  • Opcode Fuzzy Hash: cbdc3a560f9f0a4fa317cf47d49ba3a5703a36d1973b4c411d4c78c9e1b45492
                  • Instruction Fuzzy Hash: F1A15936E1021A8FCF05DFA5C88459EFBB2FF85308B15856AE805BB221EB31E955CF40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fca2c8ce7125135354036cb5b466d456a5e1682b44a3e10d9bbb15defb7c3cb7
                  • Instruction ID: acdcd99f13560d6775a38c911d2e2faff6047ba1a0dba69ef302a935aeed5f85
                  • Opcode Fuzzy Hash: fca2c8ce7125135354036cb5b466d456a5e1682b44a3e10d9bbb15defb7c3cb7
                  • Instruction Fuzzy Hash: 0BD1E530C2075ACACB10EB64D990AADB3B1FF95300F51DB9AD14977615EB70AAC4CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000000.00000002.261598816.0000000002540000.00000040.00000001.sdmp, Offset: 02540000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf7f958627d08e0fc430d6a255492e3548ca1df898532cacdad867f2db284d12
                  • Instruction ID: 6f0abe06b69b2c21f59532892a8714094da2e5d1732216383ebab4a639695541
                  • Opcode Fuzzy Hash: bf7f958627d08e0fc430d6a255492e3548ca1df898532cacdad867f2db284d12
                  • Instruction Fuzzy Hash: A9D1E530C2075ACACB10EB64D990AADB3B1FF95300F51DB9AD14977615EB70AAC4CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  APIs
                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 064CB63B
                  Memory Dump Source
                  • Source File: 00000004.00000002.621008623.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                  Similarity
                  • API ID: NameUser
                  • String ID:
                  • API String ID: 2645101109-0
                  • Opcode ID: 5ccc883f47af8af3f6b3e034181062701dc98350854022d31d165e1c1d860fdb
                  • Instruction ID: 3d188e3297056cd1f76c192f71e8f6455c76aee7a13f0cd97de0c2207a30843e
                  • Opcode Fuzzy Hash: 5ccc883f47af8af3f6b3e034181062701dc98350854022d31d165e1c1d860fdb
                  • Instruction Fuzzy Hash: 54512374E102188FDB54CFA9C899BAEBBB1FF48324F15842EE815AB350D7749844CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 014F69A0
                  • GetCurrentThread.KERNEL32 ref: 014F69DD
                  • GetCurrentProcess.KERNEL32 ref: 014F6A1A
                  • GetCurrentThreadId.KERNEL32 ref: 014F6A73
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 6b5efb2823d1da6f5fcd544e4716f77a10cd1b4add2812b2b5316d2f78e6d40b
                  • Instruction ID: 1e24f87f3ad4d3fce924eb1b192dc1fe757663bb79d7cd8cb135bbe374f6ebc5
                  • Opcode Fuzzy Hash: 6b5efb2823d1da6f5fcd544e4716f77a10cd1b4add2812b2b5316d2f78e6d40b
                  • Instruction Fuzzy Hash: 915183B09002498FDB14CFAAD548BDEBBF1EF88304F21845EE119A7360C734A884CF62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • KiUserExceptionDispatcher.NTDLL ref: 064CC8B2
                  Memory Dump Source
                  • Source File: 00000004.00000002.621008623.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                  Similarity
                  • API ID: DispatcherExceptionUser
                  • String ID:
                  • API String ID: 6842923-0
                  • Opcode ID: 815ae13a3f94c7e7e396fc5022a85a6ba7be3750a59d65ce78d8c66ef0e95b0e
                  • Instruction ID: e70da096f0f0b71b2d087b55bf4e480d1b0dc7573c2cf5b5906e2ed11a5bbf6d
                  • Opcode Fuzzy Hash: 815ae13a3f94c7e7e396fc5022a85a6ba7be3750a59d65ce78d8c66ef0e95b0e
                  • Instruction Fuzzy Hash: 40220874A002298FCBA4EF64D99CAADB7B6FF48315F1084E9D50AA3754DB349E81CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • KiUserExceptionDispatcher.NTDLL ref: 064CC8B2
                  Memory Dump Source
                  • Source File: 00000004.00000002.621008623.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                  Similarity
                  • API ID: DispatcherExceptionUser
                  • String ID:
                  • API String ID: 6842923-0
                  • Opcode ID: bde87274795952ab2432f3df1620b78a2a99c30d5956c009ad5b2ac517dae1b5
                  • Instruction ID: 04b72769f672130c67f02e72c6cb22439b1a83188b290122c11cd7dce8e6eee1
                  • Opcode Fuzzy Hash: bde87274795952ab2432f3df1620b78a2a99c30d5956c009ad5b2ac517dae1b5
                  • Instruction Fuzzy Hash: AFA1C534A01229CFCBA4DB64D99C69DB7B2BF88316F1044EAD90AA3354DB359A81CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • KiUserExceptionDispatcher.NTDLL ref: 064CC8B2
                  Memory Dump Source
                  • Source File: 00000004.00000002.621008623.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                  Similarity
                  • API ID: DispatcherExceptionUser
                  • String ID:
                  • API String ID: 6842923-0
                  • Opcode ID: de16fa726e0966570df3ed0817820583516676771889f35c8be4104b045a723c
                  • Instruction ID: 1212766450b8c554f2dc02c539f111b6a01794d0e4444fd0a85f463b7bf64b62
                  • Opcode Fuzzy Hash: de16fa726e0966570df3ed0817820583516676771889f35c8be4104b045a723c
                  • Instruction Fuzzy Hash: 5091D534A01229CFCBA4DF64D99C69DB7B2BF88316F1045EAD90AA3354DB349E81CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • KiUserExceptionDispatcher.NTDLL ref: 064CC8B2
                  Memory Dump Source
                  • Source File: 00000004.00000002.621008623.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                  Similarity
                  • API ID: DispatcherExceptionUser
                  • String ID:
                  • API String ID: 6842923-0
                  • Opcode ID: 39d3849c2d12c26beb6cd67685d6446a77e1d041e5c3d2f75d74f501c02fba14
                  • Instruction ID: 02971a13f7e4eb42c279836ecc6ae5e7201aca1b210b3adcb96d78ebb01362b5
                  • Opcode Fuzzy Hash: 39d3849c2d12c26beb6cd67685d6446a77e1d041e5c3d2f75d74f501c02fba14
                  • Instruction Fuzzy Hash: 7B91C674A01229CFCBA4DB64D99C69DB7B2BF88316F1044E9D90A93354DB349E81CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • KiUserExceptionDispatcher.NTDLL ref: 064CC8B2
                  Memory Dump Source
                  • Source File: 00000004.00000002.621008623.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                  Similarity
                  • API ID: DispatcherExceptionUser
                  • String ID:
                  • API String ID: 6842923-0
                  • Opcode ID: 627cc93d827a1162015d005a6a4967912d7ae2da1cc90453624802b6f3d09f26
                  • Instruction ID: 3cbbfd50392bc743b25f3603a8cdc67740c37d2b33fb93b470136057c2f82943
                  • Opcode Fuzzy Hash: 627cc93d827a1162015d005a6a4967912d7ae2da1cc90453624802b6f3d09f26
                  • Instruction Fuzzy Hash: BD81E734A01229CFCBA4DB64D99C7ADB7B2BF88316F1084E9D90A93354DB359A81CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 064CB63B
                  Memory Dump Source
                  • Source File: 00000004.00000002.621008623.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                  Similarity
                  • API ID: NameUser
                  • String ID:
                  • API String ID: 2645101109-0
                  • Opcode ID: b1137cb0c489c10952958217f8e288fba5b3ae35bf38bd74272d65358e2f4a41
                  • Instruction ID: 5e059f865917352c1e4364b19f23a6db90325976ea1426a17a4d76683c875927
                  • Opcode Fuzzy Hash: b1137cb0c489c10952958217f8e288fba5b3ae35bf38bd74272d65358e2f4a41
                  • Instruction Fuzzy Hash: 23511374E002188FDB58CFA9C899BDEBBB1FF48324F15842EE815AB350D7749845CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • GetUserNameW.ADVAPI32(00000000,00000000), ref: 064CB63B
                  Memory Dump Source
                  • Source File: 00000004.00000002.621008623.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                  Similarity
                  • API ID: NameUser
                  • String ID:
                  • API String ID: 2645101109-0
                  • Opcode ID: 55bd8e361ea40d22c6f452a29b163b855b3f62cc8bf8bc68308e6354a5ff486a
                  • Instruction ID: 6d4bd5c666a221bb7b8abeb6cd6c3280cb20c76830b2a774604b3214b6af188a
                  • Opcode Fuzzy Hash: 55bd8e361ea40d22c6f452a29b163b855b3f62cc8bf8bc68308e6354a5ff486a
                  • Instruction Fuzzy Hash: 53511474E102188FDB54CFA9C899BAEBBB1FF48324F15852EE815AB350D7749844CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014F51A2
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 6abcc0107f1818b64160abd77954bcb8e74782a14e2aff27afc1643d57af0509
                  • Instruction ID: 4eb36449b7794e4986efbcf56539c6460e0d6dc06eda518290ff56e40bb120c4
                  • Opcode Fuzzy Hash: 6abcc0107f1818b64160abd77954bcb8e74782a14e2aff27afc1643d57af0509
                  • Instruction Fuzzy Hash: 5151B2B1D102099FDB14CFA9C984ADEBBB5BF48314F24852EE515AB310D774A985CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014F51A2
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 91691f9e2a6f92ea17f4faed8507500a6321b5de47c39b75940f9f0012cdc74a
                  • Instruction ID: c37ffa79565cd0e57c1c7b644cb0d3dc28612561c2dad2a443e8ce684920120d
                  • Opcode Fuzzy Hash: 91691f9e2a6f92ea17f4faed8507500a6321b5de47c39b75940f9f0012cdc74a
                  • Instruction Fuzzy Hash: DF41C0B1D103099FDB14CF99C984ADEBBB5BF88314F24852AE919AB310D774A885CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 014F7F01
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: CallProcWindow
                  • String ID:
                  • API String ID: 2714655100-0
                  • Opcode ID: 947c6e4cbfe018454d526107fc5746bd54d5d937b308b97961988c76b5c2845c
                  • Instruction ID: 2a5f8e71ed85b222d5bf887e2610d6ebb2cb2c44db1ead737d9cb05b53c416a7
                  • Opcode Fuzzy Hash: 947c6e4cbfe018454d526107fc5746bd54d5d937b308b97961988c76b5c2845c
                  • Instruction Fuzzy Hash: 854136B4A00205CFCB14CF99C488BAABBF5FB88315F15885EE619A7321D334A841CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • RtlEncodePointer.NTDLL(00000000), ref: 014FC192
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: EncodePointer
                  • String ID:
                  • API String ID: 2118026453-0
                  • Opcode ID: fea9a605a3315c89a8c31de6caf5239379457c63145650108a8934914dcd5df1
                  • Instruction ID: 7b639c4f6eb07f7534c09f74b9bb6d82fba3e477cfe47db0678da1751c963c89
                  • Opcode Fuzzy Hash: fea9a605a3315c89a8c31de6caf5239379457c63145650108a8934914dcd5df1
                  • Instruction Fuzzy Hash: 9D3101718043488FEB10DFA9E98979E7FF0EB4A324F18846EC585A7322C3795845CF61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014F6BEF
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 1eddee5845006b5baa38ff4f3e0ad5bf442401e7c51a577cab98208bfe053c4a
                  • Instruction ID: 3bd5ae308aaa92be33374247bd2b4e211be07383d1fcc1527a066aeefbc79bb3
                  • Opcode Fuzzy Hash: 1eddee5845006b5baa38ff4f3e0ad5bf442401e7c51a577cab98208bfe053c4a
                  • Instruction Fuzzy Hash: D821E2B5D01248AFDB10CFA9D984BEEBBF5FB48324F15841AE914A3310D378A954CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014F6BEF
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: e83293573fef4a776db0bfd47a64aaf7e22d970b8ff38d1278d5e55de76ae363
                  • Instruction ID: dddfac6a6828dedc95143d53e839a0ca4ef8be8cf83c48f718a2780d0b0e82c2
                  • Opcode Fuzzy Hash: e83293573fef4a776db0bfd47a64aaf7e22d970b8ff38d1278d5e55de76ae363
                  • Instruction Fuzzy Hash: CE21C4B5900248AFDB10CF99D584BDEBBF9EB48324F15841AE914A3350D374A954CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • RtlEncodePointer.NTDLL(00000000), ref: 014FC192
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: EncodePointer
                  • String ID:
                  • API String ID: 2118026453-0
                  • Opcode ID: 5fff0c5310e76dc9f3eb6e1dd3c3bf29e30eabb058b7f835f4dce00d62c6e42a
                  • Instruction ID: 917bc88675fe94ab2ab72ac5492afaba7bfbcbb82c2a05980e1144c44cd54954
                  • Opcode Fuzzy Hash: 5fff0c5310e76dc9f3eb6e1dd3c3bf29e30eabb058b7f835f4dce00d62c6e42a
                  • Instruction Fuzzy Hash: 951159719002098FEB20EFA9D98979ABBF4EB49724F10882ED505B7711C7796944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 014F4116
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: b476aff6399dc86ae4df70a50642cfaca1fab50eaf52b35b8c6d505aa9a408dd
                  • Instruction ID: a2dc0cd0c15b07d93d0ed755ba98c412d8583858434b5988e7aa2d39deaa4302
                  • Opcode Fuzzy Hash: b476aff6399dc86ae4df70a50642cfaca1fab50eaf52b35b8c6d505aa9a408dd
                  • Instruction Fuzzy Hash: 6D111FB19002498FDB20CF9AC448BDFBBF4EB88224F05842AD929A7310D378A545CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 014F4116
                  Memory Dump Source
                  • Source File: 00000004.00000002.616749534.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 16d07dde63492a89bd0a0549ff914a11ae16d864fc64989615389fe0679ebbd7
                  • Instruction ID: a0d96880dceed5ca172b1f7260df31cb4ae8261683c4a416b57ee7f66c73f357
                  • Opcode Fuzzy Hash: 16d07dde63492a89bd0a0549ff914a11ae16d864fc64989615389fe0679ebbd7
                  • Instruction Fuzzy Hash: 931112B1C002098EDB10CF9AC448BDEBBF4EB88214F15851AC519A3310C374A545CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000004.00000002.616509624.00000000013FD000.00000040.00000001.sdmp, Offset: 013FD000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 44089abc6129997cbcfbb1622d552360a546480b52a5138e1f3e4faba40b2180
                  • Instruction ID: 98b652b00232ff6d1ca743cca2f9a1c36479fedb16c2c93e1d7ab736fbdbf9c2
                  • Opcode Fuzzy Hash: 44089abc6129997cbcfbb1622d552360a546480b52a5138e1f3e4faba40b2180
                  • Instruction Fuzzy Hash: 792125B1504244EFDB06DF54D9C8B26BF65FB8432CF24856DEA094B246C33AD856CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000004.00000002.616509624.00000000013FD000.00000040.00000001.sdmp, Offset: 013FD000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad92ed7290283207603347a87f116bfe3c9bf7d632a1080f16cff18756860038
                  • Instruction ID: 08c47ae8ff0af31f246341b0aa4f952381d688d34f77216b260df3a0a2c70120
                  • Opcode Fuzzy Hash: ad92ed7290283207603347a87f116bfe3c9bf7d632a1080f16cff18756860038
                  • Instruction Fuzzy Hash: 1C2136B1504244DFDB01DF54D8C8B27BF65FB84328F24856CEA095B207C736E855C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000004.00000002.616563890.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cd20bcb4a773764d059193b12019635fd67b41459f020310f79b52330ce2dd5a
                  • Instruction ID: 75eea7eff2a9802e3063cce093285cbd9ac773373b3fb95dc60731354167d6dc
                  • Opcode Fuzzy Hash: cd20bcb4a773764d059193b12019635fd67b41459f020310f79b52330ce2dd5a
                  • Instruction Fuzzy Hash: 972106F5904240DFCB15CF54D8C8B16BF65FB84258F24C96AD9094B35AC33AD847C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000004.00000002.616563890.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 53253d25943be94c531529f8cad26ca37c315de046b7bdbd95d6cb99b03c855b
                  • Instruction ID: 0078c0d9679399be76cb9fccb330ba99de023b42d73915a8f5ca69a33f12c01d
                  • Opcode Fuzzy Hash: 53253d25943be94c531529f8cad26ca37c315de046b7bdbd95d6cb99b03c855b
                  • Instruction Fuzzy Hash: EC2192B55093808FDB13CF24D594716BF71EB46214F28C5DBD8498B667C33A984ACB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000004.00000002.616509624.00000000013FD000.00000040.00000001.sdmp, Offset: 013FD000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a368cc5c02d0b3c716e3061d2d03e1c83b6206fc9b52232e2685b0d252f8fbb
                  • Instruction ID: e439f7cbf78c0f7bc72f51ac5e74207ec35ceba4d7b6dfbd144e38f26534d092
                  • Opcode Fuzzy Hash: 5a368cc5c02d0b3c716e3061d2d03e1c83b6206fc9b52232e2685b0d252f8fbb
                  • Instruction Fuzzy Hash: 3411B176504280CFCB12CF54D5C8B16BF72FB84328F2886ADD9494B617C33AD456CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Memory Dump Source
                  • Source File: 00000004.00000002.616509624.00000000013FD000.00000040.00000001.sdmp, Offset: 013FD000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a368cc5c02d0b3c716e3061d2d03e1c83b6206fc9b52232e2685b0d252f8fbb
                  • Instruction ID: b439e64886e78ab9c3cd4a0c2a78d9cfcbe1fad0046efc1ad7f1cf749606f224
                  • Opcode Fuzzy Hash: 5a368cc5c02d0b3c716e3061d2d03e1c83b6206fc9b52232e2685b0d252f8fbb
                  • Instruction Fuzzy Hash: 9C11BE76504280CFDB12CF54D9C8B16BF71FB84328F2886ADD9090B617C33AD45ACBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions