Loading ...

Play interactive tourEdit tour

Analysis Report Bewerbungsschreiben.exe

Overview

General Information

Sample Name:Bewerbungsschreiben.exe
Analysis ID:344881
MD5:082f79d8347c5bebbe48b7693f997bc8
SHA1:09a254878d726d23816d4d90c86b912856b98570
SHA256:0c10d7fbab534bfee1ca3408fa01a956c99ae6c52d565bbb584c486eff2eaa2c
Tags:exe

Detection

AgentTesla
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w10x64
  • Bewerbungsschreiben.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\Bewerbungsschreiben.exe' MD5: 082F79D8347C5BEBBE48B7693F997BC8)
    • Bewerbungsschreiben.exe (PID: 5888 cmdline: C:\Users\user\Desktop\Bewerbungsschreiben.exe MD5: 082F79D8347C5BEBBE48B7693F997BC8)
    • Bewerbungsschreiben.exe (PID: 5844 cmdline: C:\Users\user\Desktop\Bewerbungsschreiben.exe MD5: 082F79D8347C5BEBBE48B7693F997BC8)
    • Bewerbungsschreiben.exe (PID: 2848 cmdline: C:\Users\user\Desktop\Bewerbungsschreiben.exe MD5: 082F79D8347C5BEBBE48B7693F997BC8)
    • Bewerbungsschreiben.exe (PID: 4480 cmdline: C:\Users\user\Desktop\Bewerbungsschreiben.exe MD5: 082F79D8347C5BEBBE48B7693F997BC8)
    • Bewerbungsschreiben.exe (PID: 6472 cmdline: C:\Users\user\Desktop\Bewerbungsschreiben.exe MD5: 082F79D8347C5BEBBE48B7693F997BC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: Bewerbungsschreiben.exe PID: 6424JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: Bewerbungsschreiben.exe PID: 6424JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Bewerbungsschreiben.exeVirustotal: Detection: 27%Perma Link
          Machine Learning detection for sampleShow sources
          Source: Bewerbungsschreiben.exeJoe Sandbox ML: detected

          Compliance:

          barindex
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: Bewerbungsschreiben.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 0_2_00007FFA35A32BE70_2_00007FFA35A32BE7
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 2_2_0031D8192_2_0031D819
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 2_2_003193692_2_00319369
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 2_2_00313FE82_2_00313FE8
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 3_2_00423FE83_2_00423FE8
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 3_2_004293693_2_00429369
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 3_2_0042D8193_2_0042D819
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 4_2_00D393694_2_00D39369
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 4_2_00D33FE84_2_00D33FE8
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 4_2_00D3D8194_2_00D3D819
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 5_2_00F593695_2_00F59369
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 5_2_00F53FE85_2_00F53FE8
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 5_2_00F5D8195_2_00F5D819
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 6_2_0037D8196_2_0037D819
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 6_2_003793696_2_00379369
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 6_2_00373FE86_2_00373FE8
          Source: Bewerbungsschreiben.exe, 00000000.00000002.669510440.000000001BCA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000000.00000002.669260070.000000001B820000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000000.00000000.658437026.0000000000C96000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000000.00000002.669163828.000000001B780000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000000.00000002.666891379.0000000001219000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLmHUZrzoUwNIKJkNITHH.exe4 vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000002.00000000.662939455.0000000000396000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000003.00000002.664096938.00000000004A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000004.00000002.664916914.0000000000DB6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000005.00000002.665611516.0000000000FD6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exe, 00000006.00000002.666445214.00000000003F6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exeBinary or memory string: OriginalFilenameOutOfMemoryException.exe vs Bewerbungsschreiben.exe
          Source: Bewerbungsschreiben.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal72.troj.evad.winEXE@11/1@0/0
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bewerbungsschreiben.exe.logJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeMutant created: \Sessions\1\BaseNamedObjects\JPCTvSGJRYCL
          Source: Bewerbungsschreiben.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Bewerbungsschreiben.exeVirustotal: Detection: 27%
          Source: unknownProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe 'C:\Users\user\Desktop\Bewerbungsschreiben.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
          Source: unknownProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
          Source: unknownProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
          Source: unknownProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
          Source: unknownProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exe
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Bewerbungsschreiben.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Bewerbungsschreiben.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: initial sampleStatic PE information: section name: .text entropy: 7.80392973587
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Bewerbungsschreiben.exe PID: 6424, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeCode function: 2_2_0031471C sldt word ptr [edx]2_2_0031471C
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe TID: 1680Thread sleep time: -54969s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exe TID: 1836Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Bewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeProcess created: C:\Users\user\Desktop\Bewerbungsschreiben.exe C:\Users\user\Desktop\Bewerbungsschreiben.exeJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeQueries volume information: C:\Users\user\Desktop\Bewerbungsschreiben.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Bewerbungsschreiben.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Bewerbungsschreiben.exe PID: 6424, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Bewerbungsschreiben.exe PID: 6424, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 344881 Sample: Bewerbungsschreiben.exe Startdate: 27/01/2021 Architecture: WINDOWS Score: 72 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected AgentTesla 2->21 23 Yara detected AntiVM_3 2->23 25 2 other signatures 2->25 6 Bewerbungsschreiben.exe 3 2->6         started        process3 file4 17 C:\Users\user\...\Bewerbungsschreiben.exe.log, ASCII 6->17 dropped 9 Bewerbungsschreiben.exe 6->9         started        11 Bewerbungsschreiben.exe 6->11         started        13 Bewerbungsschreiben.exe 6->13         started        15 2 other processes 6->15 process5

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Bewerbungsschreiben.exe28%VirustotalBrowse
          Bewerbungsschreiben.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBewerbungsschreiben.exe, 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmpfalse
            high
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipBewerbungsschreiben.exe, 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:344881
            Start date:27.01.2021
            Start time:11:40:49
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 7m 5s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:Bewerbungsschreiben.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal72.troj.evad.winEXE@11/1@0/0
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 8.2% (good quality ratio 3.1%)
            • Quality average: 22.5%
            • Quality standard deviation: 31.7%
            HCA Information:
            • Successful, ratio: 67%
            • Number of executed functions: 26
            • Number of non-executed functions: 2
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): svchost.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            11:41:43API Interceptor2x Sleep call for process: Bewerbungsschreiben.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bewerbungsschreiben.exe.log
            Process:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1742
            Entropy (8bit):5.381353871108486
            Encrypted:false
            SSDEEP:48:MxHKEYHKGD8Ao6+vxpNl1qHGiD0HKeGitHTG1hAHKKPJAmHKoA9:iqEYqGgAo9ZPlwmI0qertzG1eqKPJ/qT
            MD5:978918F6120A43D1FA5899938A5A542F
            SHA1:6567A2E687B40BFD3A46246F51F4C89D93D89455
            SHA-256:F814F290A540B3FD755D05F3434317D7B26F2C33D2087F9E63233CD88AB510FC
            SHA-512:1DF2AF5A3F8212BF591AAA366FE96F167F3E6D43746E07B7CD44F1B2F06C63B1D290412891AD0B4D0A82D1DFD6EB2EB7D70981C35941F370DC97729E9205DD53
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_6

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.789967766994758
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:Bewerbungsschreiben.exe
            File size:536576
            MD5:082f79d8347c5bebbe48b7693f997bc8
            SHA1:09a254878d726d23816d4d90c86b912856b98570
            SHA256:0c10d7fbab534bfee1ca3408fa01a956c99ae6c52d565bbb584c486eff2eaa2c
            SHA512:4ee0be3b7be21600f8ecf7d67171a70b0329a24164591ba82bf50d63a230fdf28936c7af998f40cceebaea3f6aadbbae09cf4cd89db1c1a6d42aa322a4eaa00b
            SSDEEP:6144:cJgS82gK0u4iMQngmODDJtDR5m5tw7Lm6/Bact8LG3waUkFFyjh6ZwRuxj1rrClD:oKHyY7DtXUYsA15SyoLcVkGXlXtQ
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.`.........."...P..$...........B... ...`....@.. ....................................@................................

            File Icon

            Icon Hash:00828e8e8686b000

            Static PE Info

            General

            Entrypoint:0x48428e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x601130A4 [Wed Jan 27 09:21:40 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x8423c0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x678.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x880000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x822940x82400False0.876743192179data7.80392973587IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0x860000x6780x800False0.3486328125data3.58412881955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x880000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_VERSION0x860900x3e8data
            RT_MANIFEST0x864880x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Version Infos

            DescriptionData
            Translation0x0000 0x04b0
            LegalCopyrightSteffen Henjes
            Assembly Version0.2.0.0
            InternalNameOutOfMemoryException.exe
            FileVersion0.2.0.0
            CompanyNamewww.steffen-blogging.de
            LegalTrademarks
            Comments
            ProductNameDummy File Creator - powered by steffen-blogging.de
            ProductVersion0.2.0.0
            FileDescriptionDFC - Dummy File Creator
            OriginalFilenameOutOfMemoryException.exe

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Start time:11:41:42
            Start date:27/01/2021
            Path:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Wow64 process (32bit):false
            Commandline:'C:\Users\user\Desktop\Bewerbungsschreiben.exe'
            Imagebase:0xc10000
            File size:536576 bytes
            MD5 hash:082F79D8347C5BEBBE48B7693F997BC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.667795575.0000000012ED1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.667200650.0000000002EC1000.00000004.00000001.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:11:41:44
            Start date:27/01/2021
            Path:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Imagebase:0x310000
            File size:536576 bytes
            MD5 hash:082F79D8347C5BEBBE48B7693F997BC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Start time:11:41:45
            Start date:27/01/2021
            Path:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Imagebase:0x420000
            File size:536576 bytes
            MD5 hash:082F79D8347C5BEBBE48B7693F997BC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Start time:11:41:45
            Start date:27/01/2021
            Path:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Imagebase:0xd30000
            File size:536576 bytes
            MD5 hash:082F79D8347C5BEBBE48B7693F997BC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Start time:11:41:45
            Start date:27/01/2021
            Path:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Imagebase:0xf50000
            File size:536576 bytes
            MD5 hash:082F79D8347C5BEBBE48B7693F997BC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Start time:11:41:46
            Start date:27/01/2021
            Path:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\Desktop\Bewerbungsschreiben.exe
            Imagebase:0x370000
            File size:536576 bytes
            MD5 hash:082F79D8347C5BEBBE48B7693F997BC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >

              Executed Functions

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0304b0b2e4f0994ea972ff1843f892343d755e32907e0fdcaa3a982f4de94573
              • Instruction ID: b3522353e75a0623c54d9fe0283b40bceb56d896221803896cf8a31f94d83e93
              • Opcode Fuzzy Hash: 0304b0b2e4f0994ea972ff1843f892343d755e32907e0fdcaa3a982f4de94573
              • Instruction Fuzzy Hash: 08A10670D18A1E8FDBA8DB18D8597E8B7F1FF5A705F5040AAE00DE7291CE356981EB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9385ac974b729872ab5a357edb43f7fbcb43f7dd0472d60138b240a3bbb2a3c8
              • Instruction ID: fa37ae3b66664ba195e7774fff48e80e5881d2e4a20c5cb766966127a4525fde
              • Opcode Fuzzy Hash: 9385ac974b729872ab5a357edb43f7fbcb43f7dd0472d60138b240a3bbb2a3c8
              • Instruction Fuzzy Hash: 2CA16034D1861A8FDB98EF58C4455FDBBB2FF9A714F108179E00DA3296CE35A881EB50
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1991300ac830aafa25b0f00d5f758b5ed8396ba0a70451fe75b2aaa09ce5191
              • Instruction ID: 86be2858d3553673820690cfbbe839e7c8bb36f77eb9ed3c55fcd235618b7668
              • Opcode Fuzzy Hash: e1991300ac830aafa25b0f00d5f758b5ed8396ba0a70451fe75b2aaa09ce5191
              • Instruction Fuzzy Hash: EC81F870D18A1D8FDB94EB58C899BA8B7F1FF59704F5041AAE00DE3291DE35A981DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df27e1413c959296198aa9fd75700dbbbaffbf03354bfb6f296d8ed5ed41199e
              • Instruction ID: badc08ea5aac47154ad2908f9b5c06483e450e9eda21e43e38d2895bf8918913
              • Opcode Fuzzy Hash: df27e1413c959296198aa9fd75700dbbbaffbf03354bfb6f296d8ed5ed41199e
              • Instruction Fuzzy Hash: 24714C30D1861A8FDB68DB58D8456BDB7B2FF9A704F10C179E00DA3295CF35A981AB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 876b7bf409ccadce057094561f68246519eabd577e84eb939840823b92be95fb
              • Instruction ID: 83d0b791c06d2c940477bc8ef6de7b3aa0fb7dfad3060a94519a441edd996724
              • Opcode Fuzzy Hash: 876b7bf409ccadce057094561f68246519eabd577e84eb939840823b92be95fb
              • Instruction Fuzzy Hash: 1961E830918A5D8FDB94EF68C899AACBBF1FF59304F5441B9D00DE7292DB35A881CB41
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9449dcd628b9df33141e698f9224baaee9584df8ca7a139ee091054761f081f2
              • Instruction ID: d304938abb2ec8ae0d4a7a5716d3976696817aeeeeb8c08e4cf125a20d3a5f90
              • Opcode Fuzzy Hash: 9449dcd628b9df33141e698f9224baaee9584df8ca7a139ee091054761f081f2
              • Instruction Fuzzy Hash: E041F271D58A8E4FDB85EB6CD84A6F9BBF0FF56710F0442B6E00CD3192CE2968429780
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04d88de1911cdeee1ea7cd7e9008890c1442a0949cfde72b8e0ea3dae50adfec
              • Instruction ID: 1abdd5d4fa1a03a7055194b273cd6d2218c16e3fee2e828c0dd7d9ced87dee64
              • Opcode Fuzzy Hash: 04d88de1911cdeee1ea7cd7e9008890c1442a0949cfde72b8e0ea3dae50adfec
              • Instruction Fuzzy Hash: 7B511970D1861A8EDB69DF58C895AEDB7B2FF59300F1081B9D00EA7292CF35A981DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05bd5d728592421f330d80c15cf4706965c117ad75b4e41ceeb8ad86bfa8f566
              • Instruction ID: c987d128705eef752d773ea3a23cdc3b5bb700ba746504d700c09ba35bc065bb
              • Opcode Fuzzy Hash: 05bd5d728592421f330d80c15cf4706965c117ad75b4e41ceeb8ad86bfa8f566
              • Instruction Fuzzy Hash: 2A515E70E1861A8FEB64DB58D851BBDB7B2FF9A704F1081B9E00DA3241CF356A41AF50
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: caf3bac3d0b2c2224e895d396793be3f2042811d48e3b2276ff35bd173087048
              • Instruction ID: 6873e047470f0e20bbb9a6dd090ddabc0eafafeb3dc6849f6b85cfa218f4bfe7
              • Opcode Fuzzy Hash: caf3bac3d0b2c2224e895d396793be3f2042811d48e3b2276ff35bd173087048
              • Instruction Fuzzy Hash: CD319332E0D2578ED711BB3CE8560FA77E0EF43724B4484B7E08DCA193DE295989D689
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b256321e660088fdba0d21c4827b8baa457747192cc729bc50aa775d26108da
              • Instruction ID: 47c4d3b6afd4c25a459416a219b08acb76cb017b4193c4f1754d7274c2bb6789
              • Opcode Fuzzy Hash: 1b256321e660088fdba0d21c4827b8baa457747192cc729bc50aa775d26108da
              • Instruction Fuzzy Hash: CF414C74D1851A8EDB69DB18C895AF8B3B1FF5A704F1041B9D00EA7282CF34AA80DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54a455b7a12d0c9be3a3e56f02b7a51788320e12be2a1edb63ac590489ab1fa2
              • Instruction ID: 14b26c1ca9e69c4a4225cd722419d500ad78ac7e91b74fc822dc381879957abc
              • Opcode Fuzzy Hash: 54a455b7a12d0c9be3a3e56f02b7a51788320e12be2a1edb63ac590489ab1fa2
              • Instruction Fuzzy Hash: 07315E70D18A5E8FDF94EB98D859AECBBF1FF6A300F04407AE00DE3255DA7598419740
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2807151efa0eaec23e190f21be439edc57e1e7338a8b3ebae6f073a7ec6340d0
              • Instruction ID: ec3799122347da511fff03994abac764e9f75f5ee10f81d3b79b37482cf8a2bb
              • Opcode Fuzzy Hash: 2807151efa0eaec23e190f21be439edc57e1e7338a8b3ebae6f073a7ec6340d0
              • Instruction Fuzzy Hash: E331E130D2895D8FDB94EF98D899AEDBBF1FF59304F10416AE40EE3290CA75A841DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: caffc06280c2214b9a59e63b4a6cb5495615a962075200e7cdf7682f2bf1c1c4
              • Instruction ID: 63cfc6011a8de23b8584df0054f8c6e7ef52815387cc8d6becbad485bdf3bd25
              • Opcode Fuzzy Hash: caffc06280c2214b9a59e63b4a6cb5495615a962075200e7cdf7682f2bf1c1c4
              • Instruction Fuzzy Hash: 28410B74D195298FDB69DB18C895AE9B7B2FF59300F5041F9D00EA7292CE346A80DF50
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 206080e4ceab52e913c2893158b46d6b1c8732f18db01ce295bc2b09c4d71798
              • Instruction ID: e03d9ff1e3c5d8d2f18bfaf51b29302e680f9d036599951de43aa964126d850c
              • Opcode Fuzzy Hash: 206080e4ceab52e913c2893158b46d6b1c8732f18db01ce295bc2b09c4d71798
              • Instruction Fuzzy Hash: 5E311A71D18A4D8FDB55EB98D899AEDBBF1FF5A300F444176E00DE3291CA385945CB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a227564e3a1fab30633edf16072c58f7fd5d9ee04597298834a9a5dd53cf646d
              • Instruction ID: 8abbb1351f2dc5f12f6b8e283b22a33d0174cebd0874a362999974eb535794e1
              • Opcode Fuzzy Hash: a227564e3a1fab30633edf16072c58f7fd5d9ee04597298834a9a5dd53cf646d
              • Instruction Fuzzy Hash: FC314831A18A4D8FDB94EF68D899BA97BF1FF99700F04407AE00DE3291CA35A845DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16fad68ec46e5aedafeb03bf72b34c5437e8928ecac7581c3112a6531031cfd0
              • Instruction ID: d8ef0f5de6028cb761fc701af25b324c62cb9f8c8bf93f00a0b7ab5c9ec81a31
              • Opcode Fuzzy Hash: 16fad68ec46e5aedafeb03bf72b34c5437e8928ecac7581c3112a6531031cfd0
              • Instruction Fuzzy Hash: 67310730A18A1D8FDB94EF58D899BA977F1FF99704F104479E00EE3291CA35A845DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c9746c6e0291289c9d01e5f0c0c2d150972aeab3064966e664e8219a6e491ae
              • Instruction ID: a92df4d46d2364d18cb1b6a02b0fd4047aba15214290dc51e36b01a999eb64a6
              • Opcode Fuzzy Hash: 1c9746c6e0291289c9d01e5f0c0c2d150972aeab3064966e664e8219a6e491ae
              • Instruction Fuzzy Hash: 63310431E2C68A4FD741E7ACD8962E9B7E0FF4A314F448076E04ED3192DE286945D744
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be37697a78bd4350606fbf35f9efc6e8d72311fa4b8030d7fb298ab38eb39c00
              • Instruction ID: 9547a8a9b31c939426c0908eea80279169a9bc49ed701ec349109c5684ffdd3a
              • Opcode Fuzzy Hash: be37697a78bd4350606fbf35f9efc6e8d72311fa4b8030d7fb298ab38eb39c00
              • Instruction Fuzzy Hash: 28219230D4864E4FEB54EF64D8556EA7BB1FF8A300F418476E40DD7286CE7AA8109750
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0dd39487222778e37cdb45418acf36b8ae377b42ace351318cda7b91beba50ba
              • Instruction ID: 414f3ceced8c1e113abcb654925a91ca62bdd3d69ce752b876cf324ca66e9e38
              • Opcode Fuzzy Hash: 0dd39487222778e37cdb45418acf36b8ae377b42ace351318cda7b91beba50ba
              • Instruction Fuzzy Hash: 0521D130928A8A8FD781EB28C44A9A877E1FF86704F4085F6E00DCB092DF35E490D741
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a5328c91bd789ebc92587b3f380e80bed801f61bfd07744689f2e34ca14a99cf
              • Instruction ID: 076f0a1e83761a1af2fd6367f45a0baa5604dba45e23c44338b6ee04df175d2a
              • Opcode Fuzzy Hash: a5328c91bd789ebc92587b3f380e80bed801f61bfd07744689f2e34ca14a99cf
              • Instruction Fuzzy Hash: A8216D75918A4E9FDF81EB98C889AEDBBF1FF99310F004575E00CE3251CB74A5458B90
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 35e3acca5845533867c01c45cbf86b7242d11f186928c71c4053be5e4602e177
              • Instruction ID: 99fd20f83060ca14dc48e6b0ddff445bd483ed640a86c6fc337fc389102b1017
              • Opcode Fuzzy Hash: 35e3acca5845533867c01c45cbf86b7242d11f186928c71c4053be5e4602e177
              • Instruction Fuzzy Hash: 6201B53498868A4FE729EF249C452FA7B92EFCA704F458835F41DC3186CEBDA525D740
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5899da5f243be3bd2f4f4c13aae61334d062ba350fe7873a79f41cc897952b31
              • Instruction ID: 0b24eb4eee61c952c4b7a103d2a2e8e75150eca4455a572c3b816ee2e78dce9a
              • Opcode Fuzzy Hash: 5899da5f243be3bd2f4f4c13aae61334d062ba350fe7873a79f41cc897952b31
              • Instruction Fuzzy Hash: 2901AD3084868E4FDB82DF68C8596EA7FF0FF86200F4441BAE84CC2192CAB98565D781
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5de678979c89c05dbeaabb5e5290b57ebca4e8b675e5fa7e23a42b02ae5d990d
              • Instruction ID: 7c2e72f5e8f4d40416f8bb4ffd39030df752280a4d8c3065b729e81031e054bc
              • Opcode Fuzzy Hash: 5de678979c89c05dbeaabb5e5290b57ebca4e8b675e5fa7e23a42b02ae5d990d
              • Instruction Fuzzy Hash: 7A012D30D1851E9FEBA4EB28C8586E9B2B1FF49301F4481B6D00ED3291DF346A81DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5148bc1d6b1a1058eab1493d0c9d448a4d44c725ff166d0d21b4a975cbc45700
              • Instruction ID: f895e3490344eb455aaa2c6d894dd8e0b2eed985b19bda7854a301d98ce0d8d7
              • Opcode Fuzzy Hash: 5148bc1d6b1a1058eab1493d0c9d448a4d44c725ff166d0d21b4a975cbc45700
              • Instruction Fuzzy Hash: 86E09232E1881E8FDF80EB9CD4419EDB7B0FF59310F004172E10DE3151DA35A4419B94
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7da31a0ee1a267e3bf7f2dc4fd5d250990f9b2a1888b4b9bfb6c79002508fae0
              • Instruction ID: 4d88a39ffba428a0e9177acce5cc6d9e74c4db991ccbc795ac2231ac207510fc
              • Opcode Fuzzy Hash: 7da31a0ee1a267e3bf7f2dc4fd5d250990f9b2a1888b4b9bfb6c79002508fae0
              • Instruction Fuzzy Hash: C1F08C30D1910A9FEB60DB18C8586EE77B1EF46310F14427AC01AD3282DF39AA45EB40
              Uniqueness

              Uniqueness Score: -1.00%

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac14b23651ca7f23b80d3f864e74d390d6c4273317b6161066ba0189b5d9fcc4
              • Instruction ID: 6ed4b2abbbfc09c935740c9925f5691319ad79188123763b23c2b747ae987c08
              • Opcode Fuzzy Hash: ac14b23651ca7f23b80d3f864e74d390d6c4273317b6161066ba0189b5d9fcc4
              • Instruction Fuzzy Hash: B8E03930E1851A8FEB64DB58C8546FEB2A2FF59314F14867AC01E93281DF79A981DB40
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Memory Dump Source
              • Source File: 00000000.00000002.669954601.00007FFA35A30000.00000040.00000001.sdmp, Offset: 00007FFA35A30000, based on PE: false
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 70f1e2edf0b64ff9609a51a9254f18c902d9fd358f73b506dfa1a70f675df36d
              • Instruction ID: aff93734067a7d995a394c947e5071a95f4a51b0d35d0820a81bc81afa88aea8
              • Opcode Fuzzy Hash: 70f1e2edf0b64ff9609a51a9254f18c902d9fd358f73b506dfa1a70f675df36d
              • Instruction Fuzzy Hash: 2EC17E17B0D1664EEA21B73CBC935F97BD0CF437367848173E1CD89063AE19688AC699
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              Non-executed Functions

              Memory Dump Source
              • Source File: 00000002.00000002.663046441.0000000000312000.00000002.00020000.sdmp, Offset: 00310000, based on PE: true
              • Associated: 00000002.00000002.663039940.0000000000310000.00000002.00020000.sdmp Download File
              • Associated: 00000002.00000002.663114844.0000000000396000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e98126764dc75492317816b0e0412c6389223381b99e132c440bee266d7d6d2
              • Instruction ID: db7e5cfbf62dc1d7e8332e6b11db389318702bd7d94ced9fc50d5617dd886c79
              • Opcode Fuzzy Hash: 2e98126764dc75492317816b0e0412c6389223381b99e132c440bee266d7d6d2
              • Instruction Fuzzy Hash: 8DE0460A00FAC19EE71327B03B36ADA7F35AE93310B0984C3D0802A2A3A8000754D272
              Uniqueness

              Uniqueness Score: -1.00%