Play interactive tour

Edit tour

Analysis Report tLes2JdtRw.exe

Overview

General Information

Sample Name:	tLes2JdtRw.exe
Analysis ID:	412499
MD5:	2edb5a087966f25f972506500a48c9f3
SHA1:	ba38e69ebe87da9e49d45b2b291ee3024f8bd743
SHA256:	1b80ed1165b46b410fbc236e2e19baa9e0d71b6992a41e5d30b7d70670bb2c08
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

tLes2JdtRw.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\tLes2JdtRw.exe' MD5: 2EDB5A087966F25F972506500A48C9F3)

tLes2JdtRw.exe (PID: 7072 cmdline: C:\Users\user\Desktop\tLes2JdtRw.exe MD5: 2EDB5A087966F25F972506500A48C9F3)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sergio.arroyo@kaeiser.comQIErWCn3smtp.kaeiser.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: tLes2JdtRw.exe PID: 7072	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tLes2JdtRw.exe PID: 7072	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tLes2JdtRw.exe PID: 6888	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tLes2JdtRw.exe PID: 6888	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.tLes2JdtRw.exe.3c9b718.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.tLes2JdtRw.exe.3c9b718.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.2.tLes2JdtRw.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.tLes2JdtRw.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.tLes2JdtRw.exe.3c9b718.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.tLes2JdtRw.exe.3c9b718.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sergio.arroyo@kaeiser.comQIErWCn3smtp.kaeiser.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: tLes2JdtRw.exe	Virustotal: Detection: 26%			Perma Link
Source: tLes2JdtRw.exe	ReversingLabs: Detection: 23%

Machine Learning detection for sample

Show sources

Source: tLes2JdtRw.exe

Joe Sandbox ML: detected

Source: 3.2.tLes2JdtRw.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: tLes2JdtRw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: tLes2JdtRw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_011E6328
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_011E6319
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_011E63DC

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49768 -> 208.91.199.223:587

Source: global traffic

TCP traffic: 192.168.2.4:49768 -> 208.91.199.223:587

Source: Joe Sandbox View

IP Address: 208.91.199.223 208.91.199.223

Source: global traffic

TCP traffic: 192.168.2.4:49768 -> 208.91.199.223:587

Source: unknown

DNS traffic detected: queries for: smtp.kaeiser.com

Source: tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: http://qdovFN.com
Source: tLes2JdtRw.exe, 00000000.00000002.655983993.0000000002BE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tLes2JdtRw.exe, 00000003.00000002.908788243.000000000347D000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.kaeiser.com
Source: tLes2JdtRw.exe, 00000003.00000002.908788243.000000000347D000.00000004.00000001.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp, tLes2JdtRw.exe, 00000003.00000002.908718423.000000000342C000.00000004.00000001.sdmp, tLes2JdtRw.exe, 00000003.00000002.908802618.0000000003487000.00000004.00000001.sdmp, tLes2JdtRw.exe, 00000003.00000002.908815420.000000000348C000.00000004.00000001.sdmp	String found in binary or memory: http://vn95dHBD7e.net
Source: tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: http://vn95dHBD7e.net4
Source: tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: tLes2JdtRw.exe, 00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp, tLes2JdtRw.exe, 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 3.2.tLes2JdtRw.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB235A244u002d5635u002d46EDu002dA1EBu002d5F6AEC7E65E3u007d/F471CC91u002d75F6u002d4571u002d8ED5u002d82400D66C487.cs

Large array initialization: .cctor: array initializer size 11954

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E41DF	0_2_011E41DF
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E6A49	0_2_011E6A49
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E417E	0_2_011E417E
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E419E	0_2_011E419E
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E39B8	0_2_011E39B8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E0006	0_2_011E0006
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E0040	0_2_011E0040
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E20D8	0_2_011E20D8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E20C8	0_2_011E20C8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E3BB8	0_2_011E3BB8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E3BA8	0_2_011E3BA8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E1538	0_2_011E1538
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E1548	0_2_011E1548
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E3F97	0_2_011E3F97
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E3FA8	0_2_011E3FA8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_02B7C2B0	0_2_02B7C2B0
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_02B799D8	0_2_02B799D8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_01175520	3_2_01175520
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_0117B838	3_2_0117B838
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_011767C0	3_2_011767C0
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014AB120	3_2_014AB120
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014A0818	3_2_014A0818
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014A0C58	3_2_014A0C58
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014A6F88	3_2_014A6F88
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014A35A0	3_2_014A35A0
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014A9738	3_2_014A9738
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014AE7E8	3_2_014AE7E8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014C2D50	3_2_014C2D50
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014CB460	3_2_014CB460
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014C2768	3_2_014C2768
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014CAB20	3_2_014CAB20
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014C1FF0	3_2_014C1FF0
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014CDEA8	3_2_014CDEA8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014C9DB8	3_2_014C9DB8
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_015746A0	3_2_015746A0
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_01575371	3_2_01575371
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_015735C4	3_2_015735C4
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_015745B0	3_2_015745B0

Source: tLes2JdtRw.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: tLes2JdtRw.exe, 00000000.00000000.641516490.0000000000852000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBindableVectorToListAdapter.exeP vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000000.00000002.655983993.0000000002BE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUPUUHYtnpTKoXtyRejHoSmyBkdQcDqfWz.exe4 vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000000.00000002.660476002.0000000005EF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000003.00000000.653585012.0000000000D02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBindableVectorToListAdapter.exeP vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000003.00000002.907690197.00000000014F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameUPUUHYtnpTKoXtyRejHoSmyBkdQcDqfWz.exe4 vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000003.00000002.907418762.0000000001379000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000003.00000002.907733763.0000000001560000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000003.00000002.906774932.00000000010F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe, 00000003.00000002.907644228.00000000014B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs tLes2JdtRw.exe
Source: tLes2JdtRw.exe	Binary or memory string: OriginalFilenameBindableVectorToListAdapter.exeP vs tLes2JdtRw.exe

Source: tLes2JdtRw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: tLes2JdtRw.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3.2.tLes2JdtRw.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.tLes2JdtRw.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tLes2JdtRw.exe.log

Jump to behavior

Source: tLes2JdtRw.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: tLes2JdtRw.exe	Virustotal: Detection: 26%
Source: tLes2JdtRw.exe	ReversingLabs: Detection: 23%

Source: tLes2JdtRw.exe	String found in binary or memory: ^(Male\|Female)$-Add Student Details :-
Source: tLes2JdtRw.exe	String found in binary or memory: Teacher Name-Add Teacher Details :-

Source: unknown	Process created: C:\Users\user\Desktop\tLes2JdtRw.exe 'C:\Users\user\Desktop\tLes2JdtRw.exe'
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process created: C:\Users\user\Desktop\tLes2JdtRw.exe C:\Users\user\Desktop\tLes2JdtRw.exe
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process created: C:\Users\user\Desktop\tLes2JdtRw.exe C:\Users\user\Desktop\tLes2JdtRw.exe	Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: tLes2JdtRw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: tLes2JdtRw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E6006 pushfd ; iretd	0_2_011E6005
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 0_2_011E5FF1 pushfd ; iretd	0_2_011E6005
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014A8FB0 push esp; ret	3_2_014A8FF1
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014CDA40 pushfd ; ret	3_2_014CDA41
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Code function: 3_2_014C7A37 push edi; retn 0000h	3_2_014C7A39

Source: initial sample

Static PE information: section name: .text entropy: 7.64323527692

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tLes2JdtRw.exe PID: 6888, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Window / User API: threadDelayed 973			Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Window / User API: threadDelayed 8822			Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe TID: 6892	Thread sleep time: -101751s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe TID: 6932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe TID: 5560	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe TID: 5552	Thread sleep count: 973 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe TID: 5552	Thread sleep count: 8822 > 30	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe TID: 5560	Thread sleep count: 50 > 30	Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Thread delayed: delay time: 101751	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: tLes2JdtRw.exe, 00000003.00000002.907501327.00000000013EA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6/
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Memory written: C:\Users\user\Desktop\tLes2JdtRw.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Process created: C:\Users\user\Desktop\tLes2JdtRw.exe C:\Users\user\Desktop\tLes2JdtRw.exe

Jump to behavior

Source: tLes2JdtRw.exe, 00000003.00000002.908256701.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: tLes2JdtRw.exe, 00000003.00000002.908256701.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: tLes2JdtRw.exe, 00000003.00000002.908256701.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: tLes2JdtRw.exe, 00000003.00000002.908256701.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Users\user\Desktop\tLes2JdtRw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Users\user\Desktop\tLes2JdtRw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.tLes2JdtRw.exe.3c9b718.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.tLes2JdtRw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tLes2JdtRw.exe.3c9b718.3.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tLes2JdtRw.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: tLes2JdtRw.exe PID: 6888, type: MEMORY
Source: Yara match	File source: 0.2.tLes2JdtRw.exe.3c9b718.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.tLes2JdtRw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tLes2JdtRw.exe.3c9b718.3.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\tLes2JdtRw.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\tLes2JdtRw.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tLes2JdtRw.exe PID: 7072, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.tLes2JdtRw.exe.3c9b718.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.tLes2JdtRw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tLes2JdtRw.exe.3c9b718.3.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tLes2JdtRw.exe PID: 7072, type: MEMORY
Source: Yara match	File source: Process Memory Space: tLes2JdtRw.exe PID: 6888, type: MEMORY
Source: Yara match	File source: 0.2.tLes2JdtRw.exe.3c9b718.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.tLes2JdtRw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tLes2JdtRw.exe.3c9b718.3.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	Credentials in Registry1	Security Software Discovery211	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Virtualization/Sandbox Evasion131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tLes2JdtRw.exe	26%	Virustotal		Browse
tLes2JdtRw.exe	23%	ReversingLabs	Win32.Trojan.AgentTesla
tLes2JdtRw.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.tLes2JdtRw.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://vn95dHBD7e.net4	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://vn95dHBD7e.net	0%	Avira URL Cloud	safe
http://qdovFN.com	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://smtp.kaeiser.com	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	false		high
smtp.kaeiser.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://vn95dHBD7e.net4	tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	tLes2JdtRw.exe, 00000003.00000002.908788243.000000000347D000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://vn95dHBD7e.net	tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp, tLes2JdtRw.exe, 00000003.00000002.908718423.000000000342C000.00000004.00000001.sdmp, tLes2JdtRw.exe, 00000003.00000002.908802618.0000000003487000.00000004.00000001.sdmp, tLes2JdtRw.exe, 00000003.00000002.908815420.000000000348C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://qdovFN.com	tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%GETMozilla/5.0	tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://smtp.kaeiser.com	tLes2JdtRw.exe, 00000003.00000002.908788243.000000000347D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	tLes2JdtRw.exe, 00000000.00000002.655983993.0000000002BE1000.00000004.00000001.sdmp	false		high
https://api.ipify.org%	tLes2JdtRw.exe, 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	tLes2JdtRw.exe, 00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp, tLes2JdtRw.exe, 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	tLes2JdtRw.exe, 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.223	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412499
Start date:	12.05.2021
Start time:	18:30:34
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	tLes2JdtRw.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 52.3% Quality standard deviation: 9.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 106 Number of non-executed functions: 16
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.107.246.254, 104.43.139.144, 92.122.145.220, 104.43.193.48, 20.49.157.6, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 20.50.102.62 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, t-ring.msedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, t-ring.t-9999.t-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:31:22	API Interceptor	752x Sleep call for process: tLes2JdtRw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.223	NEW PI#001890576.exe	Get hash	malicious	Browse
	B5Cg5YZIzp.exe	Get hash	malicious	Browse
	Quotation..exe	Get hash	malicious	Browse
	RFQ-Quotation..exe	Get hash	malicious	Browse
	purchase order.exe	Get hash	malicious	Browse
	presupuesto.xlsx	Get hash	malicious	Browse
	Product Range #2828915.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	LM Approved Invoices 06052021.doc	Get hash	malicious	Browse
	DHL 46773482551423.exe	Get hash	malicious	Browse
	jkj.exe	Get hash	malicious	Browse
	Mlj6rE49Bf.exe	Get hash	malicious	Browse
	DHL Shipment Delivery Notification.exe	Get hash	malicious	Browse
	QuoteXrequestX-DAX31312.exe	Get hash	malicious	Browse
	LM Approved Invoice-03-05-2021.doc	Get hash	malicious	Browse
	razi.exe	Get hash	malicious	Browse
	Project Enquiry - KHI To LSG.exe	Get hash	malicious	Browse
	LM Approved Invoice-02-05-2021.doc	Get hash	malicious	Browse
	KJ29joA7RS.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.624.32220.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us2.smtp.mailhostbox.com	SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Get hash	malicious	Browse	208.91.199.224
	presupuesto.xlsx	Get hash	malicious	Browse	208.91.199.225
	shipping docs and BL_pdf.exe	Get hash	malicious	Browse	208.91.198.143
	PDF.9066721066.exe	Get hash	malicious	Browse	208.91.199.224
	Payment Advice Note from 10.05.2021 to 608760.exe	Get hash	malicious	Browse	208.91.199.224
	RFQ-20283H.exe	Get hash	malicious	Browse	208.91.198.143
	BTC-2021.exe	Get hash	malicious	Browse	208.91.199.225
	Copia de pago.exe	Get hash	malicious	Browse	208.91.199.225
	NEW PI#001890576.exe	Get hash	malicious	Browse	208.91.199.223
	PO 4500379537.exe	Get hash	malicious	Browse	208.91.199.225
	B5Cg5YZIzp.exe	Get hash	malicious	Browse	208.91.199.223
	PO 2345566 hisob-faktura.exe	Get hash	malicious	Browse	208.91.198.143
	Quotation..exe	Get hash	malicious	Browse	208.91.199.223
	RFQ-Quotation..exe	Get hash	malicious	Browse	208.91.198.143
	Quotation.exe	Get hash	malicious	Browse	208.91.199.224
	QUOTATION ORDER.exe	Get hash	malicious	Browse	208.91.199.224
	purchase order.exe	Get hash	malicious	Browse	208.91.199.223
	RFQ_SGCCUP_24 590 34 532 -11052021.exe	Get hash	malicious	Browse	208.91.198.143
	Request Sample products.exe	Get hash	malicious	Browse	208.91.198.143
	QTY-3322.exe	Get hash	malicious	Browse	208.91.198.143

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	SecuriteInfo.com.Malware.AI.4228845530.13946.exe	Get hash	malicious	Browse	208.91.199.224
	Letter of Demand.doc	Get hash	malicious	Browse	103.21.59.173
	7b4NmGxyY2.exe	Get hash	malicious	Browse	162.215.241.145
	catalog-1908475637.xls	Get hash	malicious	Browse	199.79.62.12
	catalog-1908475637.xls	Get hash	malicious	Browse	199.79.62.12
	INV74321.exe	Get hash	malicious	Browse	119.18.54.126
	NAVTECO_R1_10_05_2021,pdf.exe	Get hash	malicious	Browse	116.206.104.92
	#10052021.exe	Get hash	malicious	Browse	116.206.104.66
	shipping docs and BL_pdf.exe	Get hash	malicious	Browse	208.91.198.143
	PDF.9066721066.exe	Get hash	malicious	Browse	208.91.199.224
	Payment Advice Note from 10.05.2021 to 608760.exe	Get hash	malicious	Browse	208.91.199.224
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	162.222.225.153
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	162.222.225.153
	export of document 555091.xlsm	Get hash	malicious	Browse	103.21.58.29
	RFQ-20283H.exe	Get hash	malicious	Browse	208.91.198.143
	BTC-2021.exe	Get hash	malicious	Browse	208.91.199.225
	invoice 85046.xlsm	Get hash	malicious	Browse	103.21.58.29
	copy of invoice 4347.xlsm	Get hash	malicious	Browse	103.21.58.29
	Copia de pago.exe	Get hash	malicious	Browse	208.91.199.225
	NEW PI#001890576.exe	Get hash	malicious	Browse	208.91.199.223

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tLes2JdtRw.exe.log Download File
Process:	C:\Users\user\Desktop\tLes2JdtRw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.368651744936592
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	tLes2JdtRw.exe
File size:	828928
MD5:	2edb5a087966f25f972506500a48c9f3
SHA1:	ba38e69ebe87da9e49d45b2b291ee3024f8bd743
SHA256:	1b80ed1165b46b410fbc236e2e19baa9e0d71b6992a41e5d30b7d70670bb2c08
SHA512:	eb8a0301460513ad00e37642be99925b0626533d38587275ba7f2fb3366d23f73c68a5b2637b7036635d0496f854d29ebaf8ef6d4f984ce959668bff0b14f015
SSDEEP:	12288:WAXCx2Kb/B3bxRp1fjOfzLDiX8Sv++7YlAhoLWDWZH:W9zZmDJS2bGh/WZH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ... ....@.. ....................................@................................

File Icon


Icon Hash:	8a8ccae6e0fcc4aa

Static PE Info

General
Entrypoint:	0x4b0ec2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609BDA1B [Wed May 12 13:37:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0e70	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x1b0b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaeec8	0xaf000	False	0.804772600446	data	7.64323527692	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x1b0b0	0x1b200	False	0.12309187788	data	3.50745189553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb2220	0x1b5f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xb3d80	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xc45a8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xc87d0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xcad78	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xcbe20	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xcc288	0x5a	data
RT_VERSION	0xcc2e4	0x39c	data
RT_MANIFEST	0xcc680	0xa2e	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020
Assembly Version	1.0.0.0
InternalName	BindableVectorToListAdapter.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	LibraryManagementSystem
ProductVersion	1.0.0.0
FileDescription	LibraryManagementSystem
OriginalFilename	BindableVectorToListAdapter.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-18:33:11.558436	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49768	587	192.168.2.4	208.91.199.223

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 18:33:09.733745098 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:09.904205084 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:09.904330015 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:10.523529053 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:10.523992062 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:10.692286015 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:10.692349911 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:10.697154999 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:10.866780043 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:10.868251085 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:11.038870096 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:11.039875031 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:11.209472895 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:11.209925890 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:11.387448072 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:11.387923956 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:11.556490898 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:11.558435917 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:11.558599949 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:11.559396982 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:11.559489012 CEST	49768	587	192.168.2.4	208.91.199.223
May 12, 2021 18:33:11.726953030 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:11.727773905 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:11.825989008 CEST	587	49768	208.91.199.223	192.168.2.4
May 12, 2021 18:33:11.877177000 CEST	49768	587	192.168.2.4	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 18:31:13.000648022 CEST	62389	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:13.052093029 CEST	53	62389	8.8.8.8	192.168.2.4
May 12, 2021 18:31:14.486854076 CEST	49910	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:14.538635015 CEST	53	49910	8.8.8.8	192.168.2.4
May 12, 2021 18:31:15.216005087 CEST	55854	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:15.278109074 CEST	53	55854	8.8.8.8	192.168.2.4
May 12, 2021 18:31:15.397133112 CEST	64549	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:15.448967934 CEST	53	64549	8.8.8.8	192.168.2.4
May 12, 2021 18:31:16.270628929 CEST	63153	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:16.319526911 CEST	53	63153	8.8.8.8	192.168.2.4
May 12, 2021 18:31:17.844137907 CEST	52991	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:17.892843008 CEST	53	52991	8.8.8.8	192.168.2.4
May 12, 2021 18:31:19.222548962 CEST	53700	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:19.272584915 CEST	53	53700	8.8.8.8	192.168.2.4
May 12, 2021 18:31:20.249919891 CEST	51726	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:20.299088955 CEST	53	51726	8.8.8.8	192.168.2.4
May 12, 2021 18:31:22.778238058 CEST	56794	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:22.827513933 CEST	53	56794	8.8.8.8	192.168.2.4
May 12, 2021 18:31:23.703378916 CEST	56534	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:23.754858017 CEST	53	56534	8.8.8.8	192.168.2.4
May 12, 2021 18:31:25.823679924 CEST	56627	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:25.874551058 CEST	53	56627	8.8.8.8	192.168.2.4
May 12, 2021 18:31:26.894315958 CEST	56621	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:26.944556952 CEST	53	56621	8.8.8.8	192.168.2.4
May 12, 2021 18:31:27.849112034 CEST	63116	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:27.902183056 CEST	53	63116	8.8.8.8	192.168.2.4
May 12, 2021 18:31:28.794675112 CEST	64078	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:28.843360901 CEST	53	64078	8.8.8.8	192.168.2.4
May 12, 2021 18:31:29.733302116 CEST	64801	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:29.782136917 CEST	53	64801	8.8.8.8	192.168.2.4
May 12, 2021 18:31:31.093420029 CEST	61721	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:31.142330885 CEST	53	61721	8.8.8.8	192.168.2.4
May 12, 2021 18:31:32.038659096 CEST	51255	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:32.091114998 CEST	53	51255	8.8.8.8	192.168.2.4
May 12, 2021 18:31:33.692508936 CEST	61522	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:33.744218111 CEST	53	61522	8.8.8.8	192.168.2.4
May 12, 2021 18:31:35.016109943 CEST	52337	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:35.067823887 CEST	53	52337	8.8.8.8	192.168.2.4
May 12, 2021 18:31:37.920304060 CEST	55046	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:37.969316006 CEST	53	55046	8.8.8.8	192.168.2.4
May 12, 2021 18:31:38.938080072 CEST	49612	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:38.987049103 CEST	53	49612	8.8.8.8	192.168.2.4
May 12, 2021 18:31:44.021934032 CEST	49285	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:44.095408916 CEST	53	49285	8.8.8.8	192.168.2.4
May 12, 2021 18:31:48.082925081 CEST	50601	53	192.168.2.4	8.8.8.8
May 12, 2021 18:31:48.141783953 CEST	53	50601	8.8.8.8	192.168.2.4
May 12, 2021 18:32:03.870563984 CEST	60875	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:03.974404097 CEST	53	60875	8.8.8.8	192.168.2.4
May 12, 2021 18:32:04.692900896 CEST	56448	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:04.750056982 CEST	53	56448	8.8.8.8	192.168.2.4
May 12, 2021 18:32:05.352232933 CEST	59172	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:05.532748938 CEST	53	59172	8.8.8.8	192.168.2.4
May 12, 2021 18:32:05.651247025 CEST	62420	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:05.725193977 CEST	53	62420	8.8.8.8	192.168.2.4
May 12, 2021 18:32:06.051594973 CEST	60579	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:06.103178978 CEST	53	60579	8.8.8.8	192.168.2.4
May 12, 2021 18:32:06.680185080 CEST	50183	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:06.742635012 CEST	53	50183	8.8.8.8	192.168.2.4
May 12, 2021 18:32:07.410607100 CEST	61531	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:07.462007046 CEST	53	61531	8.8.8.8	192.168.2.4
May 12, 2021 18:32:07.946609974 CEST	49228	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:08.003762007 CEST	53	49228	8.8.8.8	192.168.2.4
May 12, 2021 18:32:08.786604881 CEST	59794	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:08.844605923 CEST	53	59794	8.8.8.8	192.168.2.4
May 12, 2021 18:32:10.254878998 CEST	55916	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:10.313143015 CEST	53	55916	8.8.8.8	192.168.2.4
May 12, 2021 18:32:10.788036108 CEST	52752	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:10.847855091 CEST	53	52752	8.8.8.8	192.168.2.4
May 12, 2021 18:32:20.709436893 CEST	60542	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:20.770606041 CEST	53	60542	8.8.8.8	192.168.2.4
May 12, 2021 18:32:53.786892891 CEST	60689	53	192.168.2.4	8.8.8.8
May 12, 2021 18:32:53.844396114 CEST	53	60689	8.8.8.8	192.168.2.4
May 12, 2021 18:33:09.211232901 CEST	64206	53	192.168.2.4	8.8.8.8
May 12, 2021 18:33:09.402455091 CEST	53	64206	8.8.8.8	192.168.2.4
May 12, 2021 18:33:09.431077957 CEST	50904	53	192.168.2.4	8.8.8.8
May 12, 2021 18:33:09.615881920 CEST	53	50904	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 18:33:09.211232901 CEST	192.168.2.4	8.8.8.8	0xd25b	Standard query (0)	smtp.kaeiser.com	A (IP address)	IN (0x0001)
May 12, 2021 18:33:09.431077957 CEST	192.168.2.4	8.8.8.8	0x40e6	Standard query (0)	smtp.kaeiser.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 18:33:09.402455091 CEST	8.8.8.8	192.168.2.4	0xd25b	No error (0)	smtp.kaeiser.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 18:33:09.402455091 CEST	8.8.8.8	192.168.2.4	0xd25b	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
May 12, 2021 18:33:09.402455091 CEST	8.8.8.8	192.168.2.4	0xd25b	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
May 12, 2021 18:33:09.402455091 CEST	8.8.8.8	192.168.2.4	0xd25b	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)
May 12, 2021 18:33:09.402455091 CEST	8.8.8.8	192.168.2.4	0xd25b	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
May 12, 2021 18:33:09.615881920 CEST	8.8.8.8	192.168.2.4	0x40e6	No error (0)	smtp.kaeiser.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 18:33:09.615881920 CEST	8.8.8.8	192.168.2.4	0x40e6	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)
May 12, 2021 18:33:09.615881920 CEST	8.8.8.8	192.168.2.4	0x40e6	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)
May 12, 2021 18:33:09.615881920 CEST	8.8.8.8	192.168.2.4	0x40e6	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)
May 12, 2021 18:33:09.615881920 CEST	8.8.8.8	192.168.2.4	0x40e6	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 12, 2021 18:33:10.523529053 CEST	587	49768	208.91.199.223	192.168.2.4	220 us2.outbound.mailhostbox.com ESMTP Postfix
May 12, 2021 18:33:10.523992062 CEST	49768	587	192.168.2.4	208.91.199.223	EHLO 928100
May 12, 2021 18:33:10.692349911 CEST	587	49768	208.91.199.223	192.168.2.4	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
May 12, 2021 18:33:10.697154999 CEST	49768	587	192.168.2.4	208.91.199.223	AUTH login c2VyZ2lvLmFycm95b0BrYWVpc2VyLmNvbQ==
May 12, 2021 18:33:10.866780043 CEST	587	49768	208.91.199.223	192.168.2.4	334 UGFzc3dvcmQ6
May 12, 2021 18:33:11.038870096 CEST	587	49768	208.91.199.223	192.168.2.4	235 2.7.0 Authentication successful
May 12, 2021 18:33:11.039875031 CEST	49768	587	192.168.2.4	208.91.199.223	MAIL FROM:<sergio.arroyo@kaeiser.com>
May 12, 2021 18:33:11.209472895 CEST	587	49768	208.91.199.223	192.168.2.4	250 2.1.0 Ok
May 12, 2021 18:33:11.209925890 CEST	49768	587	192.168.2.4	208.91.199.223	RCPT TO:<sergio.arroyo@kaeiser.com>
May 12, 2021 18:33:11.387448072 CEST	587	49768	208.91.199.223	192.168.2.4	250 2.1.5 Ok
May 12, 2021 18:33:11.387923956 CEST	49768	587	192.168.2.4	208.91.199.223	DATA
May 12, 2021 18:33:11.556490898 CEST	587	49768	208.91.199.223	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
May 12, 2021 18:33:11.559489012 CEST	49768	587	192.168.2.4	208.91.199.223	.
May 12, 2021 18:33:11.825989008 CEST	587	49768	208.91.199.223	192.168.2.4	250 2.0.0 Ok: queued as 4DA4BD7A5E

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: tLes2JdtRw.exe PID: 6888 Parent PID: 5844

General

Start time:	18:31:19
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\tLes2JdtRw.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\tLes2JdtRw.exe'
Imagebase:	0x7a0000
File size:	828928 bytes
MD5 hash:	2EDB5A087966F25F972506500A48C9F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.656178946.0000000002C25000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.657948952.0000000003BE9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: tLes2JdtRw.exe PID: 7072 Parent PID: 6888

General

Start time:	18:31:25
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\tLes2JdtRw.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\tLes2JdtRw.exe
Imagebase:	0xc50000
File size:	828928 bytes
MD5 hash:	2EDB5A087966F25F972506500A48C9F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.906500988.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.908393469.0000000003121000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: tLes2JdtRw.exe PID: 6888 Parent PID: 5844 tLes2JdtRw.exeCOMMON

Executed Functions

Function 011E6A49, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada9650e704bf39710b0dbd586e282376b5cc65cdc965c49b836e39e7dc2e22d
Instruction ID: d650ffa2ec8309f3dfcad8ac0a1b9e66df30ee92f70e2893cf14356811ba7670
Opcode Fuzzy Hash: ada9650e704bf39710b0dbd586e282376b5cc65cdc965c49b836e39e7dc2e22d
Instruction Fuzzy Hash: A3F1DE71B00B448FEB29DBB9C464BAEBBF6AF98704F5480ADD146CB290CB35D905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 011E41DF, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804e6234c0db8ff806b43a7fc6624375753c20d31c2a78dec275ed0c69717005
Instruction ID: 278382aa9dcdbbf97aaa876e342335ef08cf2a4cc22410b45feded0d13865b64
Opcode Fuzzy Hash: 804e6234c0db8ff806b43a7fc6624375753c20d31c2a78dec275ed0c69717005
Instruction Fuzzy Hash: EB512874E0462ACFDB68CFA5C844BDDBBB2FB89304F1086EAD519A7604E7705AC58F44

Uniqueness

Uniqueness Score: -1.00%

Function 011E6319, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10b8c634274b6b1e99f011c63f5e390f141921ac9067df2045a6753526f3a2f
Instruction ID: 80194d38f86e51adc31a96add5bb513e206fd8d3be0365215f1055c45e8b5b8d
Opcode Fuzzy Hash: d10b8c634274b6b1e99f011c63f5e390f141921ac9067df2045a6753526f3a2f
Instruction Fuzzy Hash: 41115A31D082188FDB198FA4D4087EDBBF0BB0E311F585569D109B7280C7788A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 011E6328, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113a20c3e5406769a8809848148a118b4f4b34af52acb58e2b6f24e257ca835d
Instruction ID: e5b012f22d7962e29bca0092b2e77ffec88cb604344e5089dc8f1baa2a57c5dc
Opcode Fuzzy Hash: 113a20c3e5406769a8809848148a118b4f4b34af52acb58e2b6f24e257ca835d
Instruction Fuzzy Hash: 8A113C30D086188FDB18CFA9D4187EEBFF1BB4E311F54946AD119B3291C7785944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 011E63DC, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1cfebd895034d65b46f782a1325415464eeacb7c3be606be5da08fd25e34e95
Instruction ID: 51e5e4ff390051822ef3be2de5c27b38c5a75ce0a576f5b3c3a75b6d4b60c616
Opcode Fuzzy Hash: c1cfebd895034d65b46f782a1325415464eeacb7c3be606be5da08fd25e34e95
Instruction Fuzzy Hash: EBE068A1C8C6958FC7094FE08C582BABFF0AB2B301F544489C042F7152C7A8810AC722

Uniqueness

Uniqueness Score: -1.00%

Function 02B76B88, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02B76BF8
GetCurrentThread.KERNEL32 ref: 02B76C35
GetCurrentProcess.KERNEL32 ref: 02B76C72
GetCurrentThreadId.KERNEL32 ref: 02B76CCB

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f20dea5fe26d41606931e96a4d10188f5f759071cbe741940563c3895e20b940
Instruction ID: e8e9d0aee5a470d428e0754809a3cf7e7125b3955b401ff3def4b41b30fd9b84
Opcode Fuzzy Hash: f20dea5fe26d41606931e96a4d10188f5f759071cbe741940563c3895e20b940
Instruction Fuzzy Hash: FB5156B09006498FDB14CFA9CA88B9EBBF4FF49314F2084A9E419A7350D7745944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02B76B98, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02B76BF8
GetCurrentThread.KERNEL32 ref: 02B76C35
GetCurrentProcess.KERNEL32 ref: 02B76C72
GetCurrentThreadId.KERNEL32 ref: 02B76CCB

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7a05ab0260737e3be30b2f5a970135e4f1c4d86b9342bd81e759f533f8945989
Instruction ID: 1b71c99aff6864814adff930d21405729c801680b5432ba80b81f31b3f39b89a
Opcode Fuzzy Hash: 7a05ab0260737e3be30b2f5a970135e4f1c4d86b9342bd81e759f533f8945989
Instruction Fuzzy Hash: 795144B09006498FDB14CFA9D6887DEBBF4FF49318F2084A9E429A7350D7746944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 011E2A34, Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 011E2C76

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d2610c7325e2b417071b9a51a07aa8d7f2d32a4507ae446bb733e9dd08d610c9
Instruction ID: 915c66b2280e13f05d41aa0a733d26a3052e97e7b2ac28947a21a19806b8c9e9
Opcode Fuzzy Hash: d2610c7325e2b417071b9a51a07aa8d7f2d32a4507ae446bb733e9dd08d610c9
Instruction Fuzzy Hash: 9AA17A71D00619CFEF28CFA8C895BEDBBF6BB48314F048169D909A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011E2A40, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 011E2C76

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 27879e9502fc27a8f84ed84cb62519f7c4f41ca272b6e98c0ce2280917db03fc
Instruction ID: c688db70d3c0c44bff2f6677e962351c9456433d2d1eebd756c4940448533716
Opcode Fuzzy Hash: 27879e9502fc27a8f84ed84cb62519f7c4f41ca272b6e98c0ce2280917db03fc
Instruction Fuzzy Hash: 33915971D00619CFEF28CFA8C895BEDBBF6BB48314F048569D909A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B7BBB8, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B7BE0E

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a45cda92ed4e7b1034fe7d270cf0db344a59ddf9742068ae7a22ca6c1e4db34a
Instruction ID: 47db5fdb708b7bddc429af442096eaa976c90cf94ca63f72969a55f7b56d9b89
Opcode Fuzzy Hash: a45cda92ed4e7b1034fe7d270cf0db344a59ddf9742068ae7a22ca6c1e4db34a
Instruction Fuzzy Hash: 58712271A00B059FDB24DF2AC54079AB7F1FF88308F008A69E596DBB40DB75E9468F91

Uniqueness

Uniqueness Score: -1.00%

Function 02B7DC6D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B7DD8A

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5ab49368f3aab44b3d086eb2a7a49e7ca192ef1f110b09400cf6f176e240cd57
Instruction ID: 273673dad9cca5fbf756939cd770a2c077cbee45523f5017f494856aa64a97a8
Opcode Fuzzy Hash: 5ab49368f3aab44b3d086eb2a7a49e7ca192ef1f110b09400cf6f176e240cd57
Instruction Fuzzy Hash: 8351CEB1D00309AFDF14CF99C884ADEBBB5FF49354F64816AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B7DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B7DD8A

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c21f9c8324a72e32a1180fef98e18cb4d9e48ae8669474f955c878b41bb04580
Instruction ID: e93497198b4a77a75e91ffe53d978dd962e78b71f661d31eccaf4dca41102b7f
Opcode Fuzzy Hash: c21f9c8324a72e32a1180fef98e18cb4d9e48ae8669474f955c878b41bb04580
Instruction Fuzzy Hash: F941DEB1D00309DFDB14CFA9C884ADEBBB5FF88314F64812AE819AB210D7709845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B76D49, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B76E47

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d6f71c39055cee7110c0f9fce18c87bc59b71e9c007c1d3cf019cd83b138a973
Instruction ID: e2db36d1bfb573a87f7d0c239fbcf0a6f8ad50a6b51dcc7fa494c37b766c84c6
Opcode Fuzzy Hash: d6f71c39055cee7110c0f9fce18c87bc59b71e9c007c1d3cf019cd83b138a973
Instruction Fuzzy Hash: 8F412776900258AFCB01CF99D844ADEBFF9EB49314F14806AFA14A7351C375A954DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 011E26B2, Relevance: 1.6, APIs: 1, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 011E2766

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 10237c845a2b01333363c5d5fab9a68c4f8c10addc1f84d97d2319d69fc34511
Instruction ID: f1a118bbfa37a9c4d6537dcc6e30147eae614370b589806977c79a6430db0b72
Opcode Fuzzy Hash: 10237c845a2b01333363c5d5fab9a68c4f8c10addc1f84d97d2319d69fc34511
Instruction Fuzzy Hash: 2431A9718053489FCB06CFA5C844AEEBFF0FF49324F41856AE414A6621C33A8A54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011E27B0, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 011E2848

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c8014d56495ae96449f9e253d1bd832997fa8d946ef1bcb85130e17aea4eb09b
Instruction ID: 33485c66652c84a298a403029bd50ae1212d5815eccc3006900b3c37c6d3e098
Opcode Fuzzy Hash: c8014d56495ae96449f9e253d1bd832997fa8d946ef1bcb85130e17aea4eb09b
Instruction Fuzzy Hash: D62139759003198FCB00CFA9C9847EEBBF5FF48314F448429E919A7640C7789555CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011E27B8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 011E2848

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d8a9c5c731e30c8289482e6c3b9c14ad6d6ac9cdc73dc6623ca1ce1977f16b81
Instruction ID: 69124b9e1fa015117ac0142244d4695d279a9399cddca326b5a100ad30437298
Opcode Fuzzy Hash: d8a9c5c731e30c8289482e6c3b9c14ad6d6ac9cdc73dc6623ca1ce1977f16b81
Instruction Fuzzy Hash: 432124719003199FCB00CFA9C884BDEBBF5FF48324F50842AEA19A7240C778A955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011E28A0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 011E2928

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9430cb000d14da6845c7166d9491ec0ccd7131e7666166348d3b4accf240da9f
Instruction ID: 3de4f59d177947a4558ab2adae5ee4cc3a21091f512cfd0f7ce44c0cb823db59
Opcode Fuzzy Hash: 9430cb000d14da6845c7166d9491ec0ccd7131e7666166348d3b4accf240da9f
Instruction Fuzzy Hash: 972134B29002199FCB10CFA9C8847EEBBF5FF48320F51842AE918B7640D7789955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B76DB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B76E47

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 567b902919ff9324ee9daa1155f3f68ac910a30c679218feba10e54bfd57eeb3
Instruction ID: 52014a94696cc1a9eecc18b1e331ccc7dd10afdb3037d5e76fd309ec15cb71af
Opcode Fuzzy Hash: 567b902919ff9324ee9daa1155f3f68ac910a30c679218feba10e54bfd57eeb3
Instruction Fuzzy Hash: 8721D2B69002089FDB10CFAAD984ADEBBF8FB48324F14845AE914A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E2000, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 011E207E

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b474f3d651f5974fec1519781a8668e5acda31e2226f17c45915f93ae5d001e2
Instruction ID: 0a961e8c288a1fc79378e213c3c06b54f0d55a9c9bb6314e50a460548c784c7f
Opcode Fuzzy Hash: b474f3d651f5974fec1519781a8668e5acda31e2226f17c45915f93ae5d001e2
Instruction Fuzzy Hash: A62107719002098FDB14DFAAC4847EEBBF5AB48224F548429D559A7240CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E28A8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 011E2928

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d5c46b6d1da5fbd14cd4729135240319bc96d8a731ea7918a1c08513ee39dfe6
Instruction ID: 521b463ae237347021488531702da91e77bac3b8c32a2844669fc2bb3bf664e8
Opcode Fuzzy Hash: d5c46b6d1da5fbd14cd4729135240319bc96d8a731ea7918a1c08513ee39dfe6
Instruction Fuzzy Hash: DB2128719002199FCB00CFA9C8847DEBBF5FF48314F508429E959A7240D7789955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E1FF9, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 011E207E

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2f57600499dc4151bcb8742fe393000df8341965c18e6125a5205e12c4480c5b
Instruction ID: 9290317490e7c317ea87255073b7e29467d1e3ac04433c349cb904d20c10b163
Opcode Fuzzy Hash: 2f57600499dc4151bcb8742fe393000df8341965c18e6125a5205e12c4480c5b
Instruction Fuzzy Hash: 792135719002098FDB14CFA9C4887EEBBF5AF88324F54C42AD559B7340CB78A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B76DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B76E47

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08a1851754cda5b576e502739b8ed03d2b9622254cc98db9373ce0eac19535f6
Instruction ID: d9104f2144563a668d741a0cb2ffe0f6e0a28aed51d9d4ac8c3f52a574aed4a4
Opcode Fuzzy Hash: 08a1851754cda5b576e502739b8ed03d2b9622254cc98db9373ce0eac19535f6
Instruction Fuzzy Hash: 4521C2B59002089FDB10CFAAD984ADEBBF8FB49324F14846AE914B3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B7AFC0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B7BE89,00000800,00000000,00000000), ref: 02B7C09A

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64ac5d1870fd0f144c7f4297dd44abf696bd9e445a73e98aa1b5426c27a43871
Instruction ID: 026fbd9476a82e01c7c170983628dda61a72b6028ff7b3f071fdb424effa3282
Opcode Fuzzy Hash: 64ac5d1870fd0f144c7f4297dd44abf696bd9e445a73e98aa1b5426c27a43871
Instruction Fuzzy Hash: 5311D3B69002099FCB10CF9AD444BDEFBF4EB49364F14846EE925B7600C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011E26F8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 011E2766

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6404f054331b8b2a589a76b197d1ba27565c19dea00b6b6ea80e443f40f26630
Instruction ID: 4b477f72d5c208dd4a001e1ae46d4afc6f0071e50c2662c49ab0863e66de7590
Opcode Fuzzy Hash: 6404f054331b8b2a589a76b197d1ba27565c19dea00b6b6ea80e443f40f26630
Instruction Fuzzy Hash: 6F1137729002089FCF14DFA9C8487DFBBF9EF48324F148429E615A7250C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B7C028, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B7BE89,00000800,00000000,00000000), ref: 02B7C09A

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2dd3708f4f9d7666ba35297b16bd398b3aab02db3903d86f20574ba61ec7d316
Instruction ID: 6d3f61429e10b89c0443e688541310dead3da0ef770e1920ba326d6ba656d989
Opcode Fuzzy Hash: 2dd3708f4f9d7666ba35297b16bd398b3aab02db3903d86f20574ba61ec7d316
Instruction Fuzzy Hash: C111F2B69002098FCB10CF99C544BDEFBF4AB48314F14856ED925B7600C375A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E7430, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 011E7490

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9999e29b815ede015b8e5c4ce5347479ac755a7b0f48f4629005d15a81f348af
Instruction ID: 7fc7ed0585372a569714ee2f236c488a94b5bc7adec737479478dde8175356fb
Opcode Fuzzy Hash: 9999e29b815ede015b8e5c4ce5347479ac755a7b0f48f4629005d15a81f348af
Instruction Fuzzy Hash: 871136B68006098FDB10DF99D589BDEBBF0EB48324F14842AD559B7740D378A689CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E1F50, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 011E1FB2

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b881edcc23cf54e04f2939ab17a181f0157d869c12eed00173a94eccce20260c
Instruction ID: 77d88c005bd6dc4af575a260edbb1e771a42fe1fb439ef18ecf86ef63f7adebf
Opcode Fuzzy Hash: b881edcc23cf54e04f2939ab17a181f0157d869c12eed00173a94eccce20260c
Instruction Fuzzy Hash: 731136B19042488FCB14DFAAC4487DEFBF4AB88224F158429D519B7340C779A949CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 011E1F49, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 011E1FB2

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 49a1901e118030d524d803aa4069ccbfd628ff4590837f545745883437331f27
Instruction ID: 7ba39ff04860ee6bb13efefdb9eb77e49aef2c448d69274c807376c18e5ce1d7
Opcode Fuzzy Hash: 49a1901e118030d524d803aa4069ccbfd628ff4590837f545745883437331f27
Instruction Fuzzy Hash: F51136B19002488FCF14DFA9C5487DEFBF5AB88324F15842AD519B7740CB78A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B7BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B7BE0E

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6597abedbf3d5ad062fcb8e6e2f29bc37e77dcac59a6392e8922dc2a25fdb897
Instruction ID: e0d8bd4b5cb8a9732e0d6c97a11b0642a55120517d29b1157ea8797119e3d3ae
Opcode Fuzzy Hash: 6597abedbf3d5ad062fcb8e6e2f29bc37e77dcac59a6392e8922dc2a25fdb897
Instruction Fuzzy Hash: E211DFB6D006498FCB10CF9AC444BDEFBF4EB89328F14846AD929A7700C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E7438, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 011E7490

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bf6cdd0fdd9b7271b351da68e9e6b3dab48968d0eb9f03a95af96949cd05ab78
Instruction ID: 6d468e49deb2f12dc8987f171a93114feb0e9db3d45cea3b3c0538f20584931f
Opcode Fuzzy Hash: bf6cdd0fdd9b7271b351da68e9e6b3dab48968d0eb9f03a95af96949cd05ab78
Instruction Fuzzy Hash: C21115B28006098FDB10DF99C489BDEBBF4FB48324F14842AD959B7740D778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E5909, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 011E596D

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ed26c40811d3d44f6c3630a5fc67424e509d2fa2fc0c3fc3bf0e93646a4bb206
Instruction ID: d3df5e25de1be1f09d3c8241c22aa8a4058b9907fdd7613540daf364aa111cd0
Opcode Fuzzy Hash: ed26c40811d3d44f6c3630a5fc67424e509d2fa2fc0c3fc3bf0e93646a4bb206
Instruction Fuzzy Hash: 0111F2B58003498FDB50CF99D488BEEFBF4FB49324F14841AE554A7600D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B7DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02B7DF1D

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7761ca173c5dc3f76d31a11af658424c829b451011e0a3250c651f294a4ea1f6
Instruction ID: d2e8002958796a2934fca80f49f518984b783c703fd2b5ac074b9fdde78d0773
Opcode Fuzzy Hash: 7761ca173c5dc3f76d31a11af658424c829b451011e0a3250c651f294a4ea1f6
Instruction Fuzzy Hash: 3511D0B69002099FDB10DF99D589BDEBBF8EB49324F10845AE925A7700C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E5910, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 011E596D

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d49358a5fe5d1fdae3dcaeac0e352e986d5487dfd0509437d9c56ed45e9dbb97
Instruction ID: 845b50befd8cb1fd58dacba5179a86d66f7b209afa9957c0090f64ce0327d1d6
Opcode Fuzzy Hash: d49358a5fe5d1fdae3dcaeac0e352e986d5487dfd0509437d9c56ed45e9dbb97
Instruction Fuzzy Hash: E311FEB58002089FDB10CF99C888BDEBBF8EB49324F10841AE914A3200C3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B7DEB9, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02B7DF1D

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0614c48f36c528a70fddc5176c4bb378f7d0ac93a381ad733b1f8cfc48fdbc04
Instruction ID: 9bfa0f16b9fbe9dbda64b8679c90768c23c55edd281760308b610b26e710aa5b
Opcode Fuzzy Hash: 0614c48f36c528a70fddc5176c4bb378f7d0ac93a381ad733b1f8cfc48fdbc04
Instruction Fuzzy Hash: E111D0B6900209CFDB10CF99D589BDEBBF4FB48324F14855AE929A7740C3B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655479590.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d024c4ba9352e32c4037031028fc485f5e617167ebf892d1d2e085da91700dd5
Instruction ID: 48232b8af58685fc55edc4ce0528ffe0ab93c42eb2164738ea0ea43caf878151
Opcode Fuzzy Hash: d024c4ba9352e32c4037031028fc485f5e617167ebf892d1d2e085da91700dd5
Instruction Fuzzy Hash: 91213AB2904200DFCB04CF14D9C0B57BFB6FB88328F28856DE9054B206C336D886EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0113D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655516069.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7770532d40714f4537ce67900d2431bda346bf3366c0ca45387f64271f9a6a
Instruction ID: 36150544c702c2acfd6f6a6b0c12e21501dc6670fd22fff24b4ea164e9e9422c
Opcode Fuzzy Hash: 8c7770532d40714f4537ce67900d2431bda346bf3366c0ca45387f64271f9a6a
Instruction Fuzzy Hash: 202133B1504200DFCF18CF54E8C0B16FBA1FB84754F60C569E8094B24AC336D807CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0113D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655516069.000000000113D000.00000040.00000001.sdmp, Offset: 0113D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7abaf425915550a06596544ecb4059b95ff8823789f93d62054284bfd841d3
Instruction ID: a5fad893378fb6b8a4f35d62b9421f55286ae4636167edac5b64ae5544d9afdf
Opcode Fuzzy Hash: 2f7abaf425915550a06596544ecb4059b95ff8823789f93d62054284bfd841d3
Instruction Fuzzy Hash: 1C2180755083809FCB06CF64D994B15BF71EB86314F28C5DAD8498F267C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655479590.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: d4a0677bf4ba388277e7f6b09263baf9207e333be3a85f6146594125a35925b2
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: F011E676904280CFCF15CF10D5C4B56BF72FB98324F28C6A9D8050B616C33AD896DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655479590.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f937dd887ab6d815efd43fe6b64d9a7d2daa802c95e954d2565f818fe8d5996
Instruction ID: 27554504210197e91d7d485f43a1a51d23488e2b503aee5311afb75cdb96b1bd
Opcode Fuzzy Hash: 1f937dd887ab6d815efd43fe6b64d9a7d2daa802c95e954d2565f818fe8d5996
Instruction Fuzzy Hash: AF012B724083409AE7105A16CCC47A6FBF8EF41334F18C55AEE044B2C6C3789884EAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1D748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655479590.0000000000F1D000.00000040.00000001.sdmp, Offset: 00F1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e956ba2b174e30c62d9b67486ca3dc20161170fab062fb7b73a0e1653ec090b
Instruction ID: ddd3c0c0105e2298f8f2021000e629bffeec61fb12808507120a124f38dbcbe0
Opcode Fuzzy Hash: 0e956ba2b174e30c62d9b67486ca3dc20161170fab062fb7b73a0e1653ec090b
Instruction Fuzzy Hash: E3F096714043449EEB149A16DCC4BA6FFE8EF95734F18C45AED085B286C3799C84DAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011E0006, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

k]e, xrefs: 011E00C4

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID: k]e
API String ID: 0-3274673013
Opcode ID: c69198ee715f3f44fc16ef430fa77d6e4ba61c00934b388336e3da18be9baea6
Instruction ID: 553c5e75978271e1bfd3c8485cfa9f50492adb995140212e7c5a8030e69288ad
Opcode Fuzzy Hash: c69198ee715f3f44fc16ef430fa77d6e4ba61c00934b388336e3da18be9baea6
Instruction Fuzzy Hash: C2718C70E0924A8FCB09CFE9C4455EEBFF2AF89310F19C46AE504AB265D3749A418F61

Uniqueness

Uniqueness Score: -1.00%

Function 011E0040, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

k]e, xrefs: 011E00C4

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID: k]e
API String ID: 0-3274673013
Opcode ID: 420ab2121428047326a4a91deb80f009407acf42e0cb280235bd738c903d03d1
Instruction ID: 2210d2da7bce7c2a095afb65e8ef3b74652f9e4b9ba8b06ed06202d4747650af
Opcode Fuzzy Hash: 420ab2121428047326a4a91deb80f009407acf42e0cb280235bd738c903d03d1
Instruction Fuzzy Hash: D6615B70F0460A8FCB08CFE9C4855EEFBF2AF88350F15D429E515AB254D7B49A818FA1

Uniqueness

Uniqueness Score: -1.00%

Function 011E20D8, Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

>.?, xrefs: 011E213E

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID: >.?
API String ID: 0-3100372477
Opcode ID: 5d7265e060e2e682b3a6af39b14a338a06b111d043fb737b7959c517610ac339
Instruction ID: 0edf046820e0e79453e649e6a0f327e471f10a7213f12ac096f8c0ab3a05cb70
Opcode Fuzzy Hash: 5d7265e060e2e682b3a6af39b14a338a06b111d043fb737b7959c517610ac339
Instruction Fuzzy Hash: 24111771E116189BDB48CFABD84069EFBF7ABC9300F14C07AD908A7214EB705A418F91

Uniqueness

Uniqueness Score: -1.00%

Function 011E20C8, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

>.?, xrefs: 011E213E

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID: >.?
API String ID: 0-3100372477
Opcode ID: 3f040b2a9a12dc61920036d5417d1b14a4d90c3b5af1fd996b70aee9e605c068
Instruction ID: 5d8fa9b6835091d07df1741a5532c4758b12ebbbd7b6391bb94a23a16ff1dad5
Opcode Fuzzy Hash: 3f040b2a9a12dc61920036d5417d1b14a4d90c3b5af1fd996b70aee9e605c068
Instruction Fuzzy Hash: EB112671E116188FDB59CFAAD94469EBAF3AFC9300F18C06AD448AB254EB748A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 02B7C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99866b657eb7c59bef25677ff4bab9c7292b6d3ce78a2fdab76f7cd1bf3c447
Instruction ID: 56f599d69fae4d9846519064bf119e439001c8f15c79aa5dda47142bec604aff
Opcode Fuzzy Hash: d99866b657eb7c59bef25677ff4bab9c7292b6d3ce78a2fdab76f7cd1bf3c447
Instruction Fuzzy Hash: E7527BF19C17068FD732CF14EA882993BB1FB413A8BD14A19D2715B690D3B8656ACF48

Uniqueness

Uniqueness Score: -1.00%

Function 02B799D8, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655713416.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ea6989e879977f9026005dc551c8a06eaf08d4bb2ed930da8a62b72ad59647
Instruction ID: 9fd9c06064f703b57a0a730b8e9525af3c83dd4b7ded5e35089a3acc0f7968f9
Opcode Fuzzy Hash: d2ea6989e879977f9026005dc551c8a06eaf08d4bb2ed930da8a62b72ad59647
Instruction Fuzzy Hash: 22A16D32E00619CFCF05DFA5C8445DEBBB2FF89304B2585AAE915BB221EB35A955CF40

Uniqueness

Uniqueness Score: -1.00%

Function 011E3BB8, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df201922fff4607184530f8e9353378ba95cce6c1ce33aaa7ca04bd7228c9f4b
Instruction ID: 2b6b7bd0b93431f123958cd10751bfb4ef0b807a3b6c2170655c07ad747f0c34
Opcode Fuzzy Hash: df201922fff4607184530f8e9353378ba95cce6c1ce33aaa7ca04bd7228c9f4b
Instruction Fuzzy Hash: E7A1E674E15609CFCB08CFEAD4854AEFBF2FF89300F10942AD426AB254D7349A428F91

Uniqueness

Uniqueness Score: -1.00%

Function 011E3BA8, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d299ae783ca258a04fc9c3f8c4bc1d6058eb4a5a593ecec30222b82db6a27370
Instruction ID: 9dd1ce4b9021402066f95199bf1f6cde519125348d85475479164a8729508f59
Opcode Fuzzy Hash: d299ae783ca258a04fc9c3f8c4bc1d6058eb4a5a593ecec30222b82db6a27370
Instruction Fuzzy Hash: 9091D574E15649CFCB08CFEAD9854AEFBF2FF89300F14942AD416AB254D7349A428F91

Uniqueness

Uniqueness Score: -1.00%

Function 011E3FA8, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a33696a67a7e318cdd48516e779f2046c5453683e8f539bc0ee9fdbffeca143
Instruction ID: 56413e09f31805d0dd777d4473d2e30b48b875dc85ff45134efce1e94cd4bd1e
Opcode Fuzzy Hash: 0a33696a67a7e318cdd48516e779f2046c5453683e8f539bc0ee9fdbffeca143
Instruction Fuzzy Hash: 7B513B70E04A6ACBDB68CFA6C8447DDB7F6BBC9300F04C1AAD51DA6214E7705A858F45

Uniqueness

Uniqueness Score: -1.00%

Function 011E3F97, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414e45ded1ae2c5f05778cc2a2bbda06648788a648492d013b2b2d577fdbb51e
Instruction ID: 59665189e93d9e4268bf1807257c293f362e52bb87c325a14fd806082fd47d8f
Opcode Fuzzy Hash: 414e45ded1ae2c5f05778cc2a2bbda06648788a648492d013b2b2d577fdbb51e
Instruction Fuzzy Hash: 9C613970E0466ACBDB68CFA6C8447DDBBB2BFC9300F04C1BAD519A6214E7705A858F44

Uniqueness

Uniqueness Score: -1.00%

Function 011E419E, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95628c4a65db1d32dd289f175841df6c05ddb2f477b589f9cfef5790ce07798
Instruction ID: 1a30f8db1a4fbcd8c099fd863404b2eba207dfea854870a6c0ee757e91b6ad70
Opcode Fuzzy Hash: a95628c4a65db1d32dd289f175841df6c05ddb2f477b589f9cfef5790ce07798
Instruction Fuzzy Hash: F5513774E0466ACBDB68CFA5C844BDDB7B2BB89300F1096EAD519B3604E7705AC58F44

Uniqueness

Uniqueness Score: -1.00%

Function 011E417E, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07db300bfd67245b0fac57d6af6ae2980fa49fbf7c753bb8f36fdd30f9d70eb
Instruction ID: cb0212014877af78cfa6613ac20452a7213e9006fa0eb20fd9e378dff844c664
Opcode Fuzzy Hash: d07db300bfd67245b0fac57d6af6ae2980fa49fbf7c753bb8f36fdd30f9d70eb
Instruction Fuzzy Hash: 1E515974E0466ACBDB68CFA5C844BDDF7B2BB99300F1096AAD509B7604E7709AC18F44

Uniqueness

Uniqueness Score: -1.00%

Function 011E39B8, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552bd7ba85bfe5ef065dd054b140dd77d83c938d6fc631e04ef1a819a8464b76
Instruction ID: 4cd04e1e5a8cc2c7764aef6e6fa22da65d7affcc220701fd253aa272c0719457
Opcode Fuzzy Hash: 552bd7ba85bfe5ef065dd054b140dd77d83c938d6fc631e04ef1a819a8464b76
Instruction Fuzzy Hash: 99410F3158A345AFC3A68F61C8818D1BFF1FE513343A94AAED8C085922D33E5FA5DB51

Uniqueness

Uniqueness Score: -1.00%

Function 011E1548, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5e81ae0afeda236a5047b3274e9584d02ed4911dee86aeac1ce92109853c66
Instruction ID: 195393adcb9c9d489e0391ff59bb35f8286ff00618fbb386be58603f469b7a45
Opcode Fuzzy Hash: ba5e81ae0afeda236a5047b3274e9584d02ed4911dee86aeac1ce92109853c66
Instruction Fuzzy Hash: 9A312970E116199BDF18CFAAE8446AEFBF6BFC9200F14C16AD509A7205EB305A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 011E1538, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655608706.00000000011E0000.00000040.00000001.sdmp, Offset: 011E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c482405ad3e116915c298aa4166dab51de2baeffbdd674a631102432adfd16
Instruction ID: 52d3b8780ec8c13f18809fc73686d3791a522df2c758e6022d21f061108773ae
Opcode Fuzzy Hash: e9c482405ad3e116915c298aa4166dab51de2baeffbdd674a631102432adfd16
Instruction Fuzzy Hash: C6214D70E116199FDB1CCFAAD9446AEBBF3AFC9300F18C06AD508EB255EB744A418F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tLes2JdtRw.exe PID: 7072 Parent PID: 6888 tLes2JdtRw.exeCOMMON

Executed Functions

Function 014C1FF0, Relevance: 4.3, Strings: 3, Instructions: 512COMMON

Download Yara Rule

Strings

D0%l, xrefs: 014C25D1
D0%l, xrefs: 014C2444
D0%l, xrefs: 014C24D1

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID: D0%l$D0%l$D0%l
API String ID: 0-1586913657
Opcode ID: bc89977512333f89792c54dae93a4981ff89626f20ef1d4f59d4f55346e1c392
Instruction ID: c3bf03f4ce39a707d148d73853d9e1bac071c72aca8688ef2df9f5122afee38e
Opcode Fuzzy Hash: bc89977512333f89792c54dae93a4981ff89626f20ef1d4f59d4f55346e1c392
Instruction Fuzzy Hash: 13129074A002199FCB64DF69C844BAEBBF2BF88714F14856EE905DB3A1DBB49C41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014CB460, Relevance: 1.9, Strings: 1, Instructions: 673COMMON

Download Yara Rule

Strings

8^%l, xrefs: 014CB96C

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID: 8^%l
API String ID: 0-3725521276
Opcode ID: 9f5167d793a9a3a3e4aa070cdbe64033db6363ff67fe9f1e29a9f9fd00a927ef
Instruction ID: b4fcd43f5d7970a1d4b66fd29c0fe3c065401a6f743ec68e83a8d2bced80032f
Opcode Fuzzy Hash: 9f5167d793a9a3a3e4aa070cdbe64033db6363ff67fe9f1e29a9f9fd00a927ef
Instruction Fuzzy Hash: D642F230A002488FEB60DB68C4547AEBBA2EF85744F14C4AED5099F3A6DB74DC46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0117B838, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.906839515.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342ff4397e2d04d18b76910413b24c6c567d617b67809434dba29c8e4ca7712e
Instruction ID: 76e7f5c1d8807cd074fb594a04262ffa1ac8393904d93977713083d299ce4aa6
Opcode Fuzzy Hash: 342ff4397e2d04d18b76910413b24c6c567d617b67809434dba29c8e4ca7712e
Instruction Fuzzy Hash: A4F16D30A04209CFDB18DFA9C848BADBBF1FF88308F158569E905AF365DB74A945CB45

Uniqueness

Uniqueness Score: -1.00%

Function 014C2D50, Relevance: .9, Instructions: 888COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676ccfb1b434fe8cfa16513b81ea4668f82740bcc79920f2a609aeabf6d0c753
Instruction ID: 6a64aba30d4f2739014dfe48156bdafb221923af5152372973a068d798f596c6
Opcode Fuzzy Hash: 676ccfb1b434fe8cfa16513b81ea4668f82740bcc79920f2a609aeabf6d0c753
Instruction Fuzzy Hash: 27824A38A002099FCB55CF69C584AAEBBF2BF89714F15C56AE5059B3B1DB30ED41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014CAB20, Relevance: .7, Instructions: 699COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62d867a8a0a994f355cd625748e80a05b718b57c97841fc1739839310b138ca
Instruction ID: e79f8224335daaeae35b7d32ea2a0f9a0af44c4c96d17fe510ac3c546d989f49
Opcode Fuzzy Hash: b62d867a8a0a994f355cd625748e80a05b718b57c97841fc1739839310b138ca
Instruction Fuzzy Hash: AC429F34B002058FDB54DBB8D4587AE7BF2EF88714F24846AE506DB3A5EB34DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 014CDEA8, Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f74280b24f4036b8ef8d23f0e3faf7f1ac00050894fd7f7a34f996b393f5aa8
Instruction ID: 437345ee549761379609caed1dfcf85759ebca9df25ccfa7e1233a04631f3d5a
Opcode Fuzzy Hash: 2f74280b24f4036b8ef8d23f0e3faf7f1ac00050894fd7f7a34f996b393f5aa8
Instruction Fuzzy Hash: 8E12E231E646258FC7E4C7248C8A3BB76E6ABD1620F04917AC648DB360FB318955CBD7

Uniqueness

Uniqueness Score: -1.00%

Function 014C2768, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fdf6ee4018f82e1dbdd6bb158c75f3849cc3d6f9dae5185fac217c50857cf7
Instruction ID: c78be7e574e976fc0b4315360add87d8b62b5a9cc5e22b0b5bc592df306c7c09
Opcode Fuzzy Hash: 70fdf6ee4018f82e1dbdd6bb158c75f3849cc3d6f9dae5185fac217c50857cf7
Instruction Fuzzy Hash: 89E13E78A00109DFDB65CFA9C984EAEBBB2BF48710F15816AE905AB371D7B1DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01576940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 015769A0
GetCurrentThread.KERNEL32 ref: 015769DD
GetCurrentProcess.KERNEL32 ref: 01576A1A
GetCurrentThreadId.KERNEL32 ref: 01576A73

Memory Dump Source

Source File: 00000003.00000002.907746151.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0c371026bad23779f419c434f2639ee2ebdb6d560e352bd175300026e0be06d1
Instruction ID: 75d148cdbec215cd364e5474dcc36c4b1750c3a2b06a7e3faa6b3af182ccb3b4
Opcode Fuzzy Hash: 0c371026bad23779f419c434f2639ee2ebdb6d560e352bd175300026e0be06d1
Instruction Fuzzy Hash: FB5133B09006498FEB14CFAAD548BDEBBF1BB89314F20846AE519A7350D7749884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 014CD328, Relevance: 2.8, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

Xc%l, xrefs: 014CD3F3
Xc%l, xrefs: 014CD3FD

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID: Xc%l$Xc%l
API String ID: 0-1338683366
Opcode ID: b1aba28520efc858eb1fbf09d63a0c63d1b35240fed226fef75257bef3b1a605
Instruction ID: d8252ccbd0f56f8829c32cfa9971d156eea2ecdda2a491653e128b025cf2b2eb
Opcode Fuzzy Hash: b1aba28520efc858eb1fbf09d63a0c63d1b35240fed226fef75257bef3b1a605
Instruction Fuzzy Hash: 5FA1F434B002059FCB55DBA8C854BAF77A6AB88B44F04843EE609DB3A1DB74DC42C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 014C1AC0, Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

Xc%l, xrefs: 014C1C41
Xc%l, xrefs: 014C1C4B

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID: Xc%l$Xc%l
API String ID: 0-1338683366
Opcode ID: e26cc732ccef272c14f132ce78fef267d5580fe8394026e62c4a130cf07ec9de
Instruction ID: c45ed925357597226da94ce8bbffc9e0bcd41dc0dcd821c1c0726664f8d15a6d
Opcode Fuzzy Hash: e26cc732ccef272c14f132ce78fef267d5580fe8394026e62c4a130cf07ec9de
Instruction Fuzzy Hash: 0581B038A00605CFDB94DF6CC4849AABBB1BF89E44B15816EE506DB372D731EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014C5660, Relevance: 2.1, Instructions: 2085COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0b1e0be7d4fa574c67fd2dcde88d27243757d93ff3ff5cc7150a5ebef0b16d
Instruction ID: 203748d4aa179099d29e84cf4bc3f78f729b832198b89b6931be9dcc5493f18d
Opcode Fuzzy Hash: 7f0b1e0be7d4fa574c67fd2dcde88d27243757d93ff3ff5cc7150a5ebef0b16d
Instruction Fuzzy Hash: 2CD23332A2AB048FD7F49E09FDCF59BB761FB8163471543AFC1040A669E6324845CADB

Uniqueness

Uniqueness Score: -1.00%

Function 01575090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015751A2

Memory Dump Source

Source File: 00000003.00000002.907746151.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5948224c24011b2d48335172d13cde02f9ded6ae8936eb2cc451f8f44fc1afab
Instruction ID: 0bc897d78f8b6038f699faa077819b3c566da1da9a95f9639ab94e77a9110d51
Opcode Fuzzy Hash: 5948224c24011b2d48335172d13cde02f9ded6ae8936eb2cc451f8f44fc1afab
Instruction Fuzzy Hash: F741C0B1D103089FDB14CF99D884ADEBFB5BF48314F64852AE819AB210D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014ADA70, Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 014ADB79

Memory Dump Source

Source File: 00000003.00000002.907621261.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3c6f7a46e349397dea0c4b13094068cd8104eb388677fbb75a0d9df5857640ac
Instruction ID: 3cb6b4b6b6062feee2d7ecbc01ea9adc59fc26d6ed60e2da88d2b2cda23beacd
Opcode Fuzzy Hash: 3c6f7a46e349397dea0c4b13094068cd8104eb388677fbb75a0d9df5857640ac
Instruction Fuzzy Hash: 974112B1E00259DFDB10CFE9C984A9EBBF5BF48310F55802AE819AB760D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014AD7B8, Relevance: 1.6, APIs: 1, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 014AD8BC

Memory Dump Source

Source File: 00000003.00000002.907621261.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9f64bbeeed98009cff276397cb47e43289748c74966b1b0c8052ece907733046
Instruction ID: e763f95165961031aa6efec5eb970428a17f72848576aa2d24d48ee3dedbb4e0
Opcode Fuzzy Hash: 9f64bbeeed98009cff276397cb47e43289748c74966b1b0c8052ece907733046
Instruction Fuzzy Hash: EC4166B5E002498FDB04CF99C588B9EFBF5BF48314F29C16AE409AB351D7B89845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0157779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01577F09

Memory Dump Source

Source File: 00000003.00000002.907746151.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3c17008cc37dbb16d4cd5ddf98335dc935215b48a34078bf26bd48f396648c23
Instruction ID: 96d078ca9b74212ef3c9c3cb77056c2f19f26f0b63c35f10eceb513a4cb22d08
Opcode Fuzzy Hash: 3c17008cc37dbb16d4cd5ddf98335dc935215b48a34078bf26bd48f396648c23
Instruction Fuzzy Hash: 85412BB5A002098FDB14CF59D489AAEBBF5FF8C324F14C859E519AB321D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 014AAEF8, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 014ADB79

Memory Dump Source

Source File: 00000003.00000002.907621261.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a15d880f56ba018d20ee85622e4162cb32a5d9af1e35bc00c73cb0c3ddcfb106
Instruction ID: f884fe8cf9cd5b37e76d8a29cf0e0928ebb58ba2eb9998430370b5f76b825e9c
Opcode Fuzzy Hash: a15d880f56ba018d20ee85622e4162cb32a5d9af1e35bc00c73cb0c3ddcfb106
Instruction Fuzzy Hash: 2731AEB1D002589FCB10CF9AC984A9EBFF5BF48714F55812AE819AB720D774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 014AD7FD, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 014AD8BC

Memory Dump Source

Source File: 00000003.00000002.907621261.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d47f3c5428afc9824a476474d8cc0da180032a4fa2926970a0b059da6ba5d646
Instruction ID: 00f9d9f9a03246e7169f5d8d176513e411481c53856bb3cacc9961ee2db0f5e6
Opcode Fuzzy Hash: d47f3c5428afc9824a476474d8cc0da180032a4fa2926970a0b059da6ba5d646
Instruction Fuzzy Hash: CD312FB5D002498FDB10CF99C588A8EFFF5BF58314F29816AE809AB310C7B59885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 014AAEEC, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 014AD8BC

Memory Dump Source

Source File: 00000003.00000002.907621261.00000000014A0000.00000040.00000001.sdmp, Offset: 014A0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2955cacaa83b9951e5e939ec518b9de26d21d7f4309337bb22d4bd757226426f
Instruction ID: 8c8945a5575aef048d896e682e4d4103ff4b6bf9bec3b03881ac094a21d7a97a
Opcode Fuzzy Hash: 2955cacaa83b9951e5e939ec518b9de26d21d7f4309337bb22d4bd757226426f
Instruction Fuzzy Hash: 9D3112B1D002488FDB10CF99C588A8EFFF5BF48314F69816EE809AB350C7B59945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01176930, Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,01177B39,00000800), ref: 01177BCA

Memory Dump Source

Source File: 00000003.00000002.906839515.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f184273a6bebd5035b03333d30b90992849b0898eb44d6125ddb11568979a6f0
Instruction ID: 9e514d5b23821e4dfd652fe5e80d3b1d23dd7aba20db8f50652d25c364e53a62
Opcode Fuzzy Hash: f184273a6bebd5035b03333d30b90992849b0898eb44d6125ddb11568979a6f0
Instruction Fuzzy Hash: 852186B28082498FCB14CFA9C488ADABFF0AB49210F15846ED555A7340D3B5A505CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01576B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01576BEF

Memory Dump Source

Source File: 00000003.00000002.907746151.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9a016a9b4b1ccf1686802ea5b4f5e1d888685d2d24a5ceb428d7f2fa0aad6aa5
Instruction ID: 4e0de6b10a8b9ff55ac8648ac5e7a1a7f5b11d2abd3c892ea3418b0f5ef4e6d7
Opcode Fuzzy Hash: 9a016a9b4b1ccf1686802ea5b4f5e1d888685d2d24a5ceb428d7f2fa0aad6aa5
Instruction Fuzzy Hash: 4321C2B5D002599FDB10CFAAD984ADEFBF8FB48324F14842AE915A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01176918, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,01177B39,00000800), ref: 01177BCA

Memory Dump Source

Source File: 00000003.00000002.906839515.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e5d681b0132c68f22dad94041c19e449fed9b57c2426a401289a2f0e937d8f6a
Instruction ID: 8b28e03380dd16a3b8eeda73b562e5c6c35c554bd838a1ab6bb867cb07f3e77a
Opcode Fuzzy Hash: e5d681b0132c68f22dad94041c19e449fed9b57c2426a401289a2f0e937d8f6a
Instruction Fuzzy Hash: E21103B69042098FDB14CF9AC448BAEFBF4EB88320F14842AE515A7740C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01177B5A, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,01177B39,00000800), ref: 01177BCA

Memory Dump Source

Source File: 00000003.00000002.906839515.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5db6e38116ea2ba659d2977b0a4d013fd9e13a91467d7dd4846710f2d04f5ef5
Instruction ID: 0c43861546ffa71a37f18fbb498a7de09f37349e830a772c3f1b607da856fc0c
Opcode Fuzzy Hash: 5db6e38116ea2ba659d2977b0a4d013fd9e13a91467d7dd4846710f2d04f5ef5
Instruction Fuzzy Hash: 561103B6D003098FDB14CF9AC448AEEFBF4AB88324F15852EE515A7700C3B5A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0157C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0157C212

Memory Dump Source

Source File: 00000003.00000002.907746151.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 6376fc9bb9e188ed54263b3dd6bffbf8a57d284574153cfa7551c2a33794ad15
Instruction ID: c81a3e49100d265014d3d12315202ba589af8854971c1319bde3589c85319399
Opcode Fuzzy Hash: 6376fc9bb9e188ed54263b3dd6bffbf8a57d284574153cfa7551c2a33794ad15
Instruction Fuzzy Hash: 24117CB190030A8FDB20DFA9E94979EBBF4FB4A325F14842AD449E7601C7796544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01573300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01574116

Memory Dump Source

Source File: 00000003.00000002.907746151.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 509af71cea24a34d0c2d86dc7791de679b2b3d69e0dae182bdc7092d3dc7ce5c
Instruction ID: eacbaa38ea32f2d5d11687e939578a98a9a9d12fd8f85175d6e0b1a2daffedc9
Opcode Fuzzy Hash: 509af71cea24a34d0c2d86dc7791de679b2b3d69e0dae182bdc7092d3dc7ce5c
Instruction Fuzzy Hash: 701123B2D002498BDB10DF9AD444BDEFBF4FB49220F04842AD829BB600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015740AB, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01574116

Memory Dump Source

Source File: 00000003.00000002.907746151.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cebf2ab40d50ca5f631348115d497d5d330f96d55af584cea919197a687976b3
Instruction ID: e14381eb3413b98f4b18beb4661898b9c5f6ccb02e8ed880d2291afe13cfdb41
Opcode Fuzzy Hash: cebf2ab40d50ca5f631348115d497d5d330f96d55af584cea919197a687976b3
Instruction Fuzzy Hash: C711EFB6D002498FDB10CFAAD444A9EFBF4EB89224F14852AD929B7600D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0117A708, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0117B675

Memory Dump Source

Source File: 00000003.00000002.906839515.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a68995b48567ddb77e94b2e375deffdc0af145cb7449db1325fef2ffa4d29e96
Instruction ID: 1277ffa6f35373c1501fa2c09de4cd06bf5f4c5183c55605af76aeecc96f0410
Opcode Fuzzy Hash: a68995b48567ddb77e94b2e375deffdc0af145cb7449db1325fef2ffa4d29e96
Instruction Fuzzy Hash: C11100B19042488FCB20DF9AD488BDEFBF4EB48324F148429E619B7700D3B5A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0117B618, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0117B675

Memory Dump Source

Source File: 00000003.00000002.906839515.0000000001170000.00000040.00000001.sdmp, Offset: 01170000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 606f0a45ccf526afa64c986b58b7b1d63a2963db35d4aa628e2faecd52384bd7
Instruction ID: 30b44d2054719cb3e3caa99bd25e2070c4e849ae07e849690293ee558e2fe37c
Opcode Fuzzy Hash: 606f0a45ccf526afa64c986b58b7b1d63a2963db35d4aa628e2faecd52384bd7
Instruction Fuzzy Hash: C21115B1904248CFCB10CF99D548BDEFBF4EB48324F14852AE519A7710C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01574080, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01574116

Memory Dump Source

Source File: 00000003.00000002.907746151.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8b40472aa609dcb758615fdb2a5a7a0f166d8f1f239fdcb4395511b470351b67
Instruction ID: 4ad6caa76cc183ecb29ef8faea7a3005b145efbf976c2a6603e1c588001639e8
Opcode Fuzzy Hash: 8b40472aa609dcb758615fdb2a5a7a0f166d8f1f239fdcb4395511b470351b67
Instruction Fuzzy Hash: 4E014BB59047448FDB15CF99D84478EBBF0BF89314F2485AED008EB222D3399546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014C3E28, Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5665bf4bf19d95c43333113a51dfc7621cb7d8c7a600ddeb0af4157f8023e2
Instruction ID: d645d156f2a27f58cdbf2b7936121d2df5bd65732ec3c899bf242952614d296a
Opcode Fuzzy Hash: df5665bf4bf19d95c43333113a51dfc7621cb7d8c7a600ddeb0af4157f8023e2
Instruction Fuzzy Hash: F1722F34A0411C8FDB64DBA4C960BAEBBB2EF89304F1181BDC60AAB395DB355D41DF52

Uniqueness

Uniqueness Score: -1.00%

Function 014C4C78, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ade6ffb08000ef8972c7a2d630e13614e4f71f19e872517c2c025c2dc2f39c
Instruction ID: bf149a7aece277cebd8fb913fd43b2c735db8e37174142ed89cba0530197ed4f
Opcode Fuzzy Hash: e8ade6ffb08000ef8972c7a2d630e13614e4f71f19e872517c2c025c2dc2f39c
Instruction Fuzzy Hash: 25D10C75A001158FCB55CF6DD6A89ADBBF6BF88710B1A80AAE505AB371CB30EC41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 014C4B58, Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473dbdd7c16cf48a4b39e0e80e7aae49b49cc10aedf755d547a65f63963cf8cc
Instruction ID: 07b91cbe270dd890124fbdd9d42007f65a04708cf1b2e96789e91366d5211924
Opcode Fuzzy Hash: 473dbdd7c16cf48a4b39e0e80e7aae49b49cc10aedf755d547a65f63963cf8cc
Instruction Fuzzy Hash: 57D10C75E002198FCB45CF69C6989ADBBF6BF88710F1A809AE515AB371DB30EC41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 014CC0C0, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1311ae5becef037988e7de5e228dd920e1ec8b2472d766ef6c4b4d8705bc840a
Instruction ID: b4fec8c8ba3412de47abb64c96521d29c82cfafec3d91d3f7d56769df86e1785
Opcode Fuzzy Hash: 1311ae5becef037988e7de5e228dd920e1ec8b2472d766ef6c4b4d8705bc840a
Instruction Fuzzy Hash: BDB1D835A04249DFCF15CFA8C884ADEBFB2FF89310F04816AE909AB361D774A855CB54

Uniqueness

Uniqueness Score: -1.00%

Function 014C2D40, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04aed418be28b1fac304e64e35d6f4a6790169a6b09a9ee5bd3a4325e459805
Instruction ID: ff19a699d8581c83e4f01e7343729681bd6ea7baa9d184ab4664619dcc92d14f
Opcode Fuzzy Hash: b04aed418be28b1fac304e64e35d6f4a6790169a6b09a9ee5bd3a4325e459805
Instruction Fuzzy Hash: 3DC13838A006099FCB64CFA9C984EAEBBF2BF48714F15855AE905AB361D770ED41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014C5280, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565c99688dd92d70a0c326958bf5fa2d728a9b9955ab84c88caeffafd0b6efa3
Instruction ID: 38399ea6c816c8eca837bf14175e449a513cc63fa12b73b138271211c8ef7589
Opcode Fuzzy Hash: 565c99688dd92d70a0c326958bf5fa2d728a9b9955ab84c88caeffafd0b6efa3
Instruction Fuzzy Hash: 1F915939B042198FCB51CF68C984A6EBBB5BF94710F1684AAE9159F372C770E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014C1830, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8743d093789d1ffab4437b033ea5e5b5c7f37c5b6fbfb712224f8b6f29645f3e
Instruction ID: 2446e327f35b2e8c3fe2a3870c9da82ebc662040b0d9c1024daa2de6b4944552
Opcode Fuzzy Hash: 8743d093789d1ffab4437b033ea5e5b5c7f37c5b6fbfb712224f8b6f29645f3e
Instruction Fuzzy Hash: 1F71E0387042118FD7259B69C89467FB7E2AFC9A54B04817EE606CB3A6DF34CC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014CB118, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc465e9cb9e5c6b8f0c334820bd534336fff06b19cccd3a18d216181772dfa6
Instruction ID: dc5c40fc6d01a64febd052e4d219fa8e2df46293e466654c265a129c774e24c3
Opcode Fuzzy Hash: afc465e9cb9e5c6b8f0c334820bd534336fff06b19cccd3a18d216181772dfa6
Instruction Fuzzy Hash: FB71A134B002148FDB58EBB8E4697AE76E3AFC8744F144429D906DB394EF789C468B91

Uniqueness

Uniqueness Score: -1.00%

Function 014CDE99, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f2fa9b379560962582cea46e4cb3fe3f9fd68b0c140e34cb9ab5c7a5f04afa
Instruction ID: 1a00d0345773ec4eb39975dcb9795c158105a3d644bcb5ffe9ed13017485f9ed
Opcode Fuzzy Hash: f7f2fa9b379560962582cea46e4cb3fe3f9fd68b0c140e34cb9ab5c7a5f04afa
Instruction Fuzzy Hash: 7961BC70B002149FDB24DB78C8587AEBAE3AFC4654F18C52ED506AF3A1DF759C468781

Uniqueness

Uniqueness Score: -1.00%

Function 014CBE20, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930eabb72e8afaa206738b885ec9a9c1b5052728114cbac2aa69a98eed18eacf
Instruction ID: e1e9592750c9b35d461623cc399f92c4392e8c406c77347b48f07d2435196b91
Opcode Fuzzy Hash: 930eabb72e8afaa206738b885ec9a9c1b5052728114cbac2aa69a98eed18eacf
Instruction Fuzzy Hash: B37149387002068FDBA5DF6DC895ABA7BE5EF49A50B1900AEEA05CB371DB71DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014C3AC8, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aedd9fd1663887d3bbbbaf69563a3fdf3d6b441c4acff746a5ebc70052d3694e
Instruction ID: 4d5166f49dc8d18747093c8fe73458c4768e5190a33aa2529c8ed025b5d2be58
Opcode Fuzzy Hash: aedd9fd1663887d3bbbbaf69563a3fdf3d6b441c4acff746a5ebc70052d3694e
Instruction Fuzzy Hash: 90517E397045119FDB54DF3EC884A6ABBE9FF49A5071680AEE516CB372EB31DC018B50

Uniqueness

Uniqueness Score: -1.00%

Function 014CCA98, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621a642aaaec539ffddbb50d876153d1af3b9850482fb30aa5d4f80cdc587214
Instruction ID: 7521c0cb607390f2cbf8b78437b6f078c3b276a8089ce9ca1db71a60f6af5f1a
Opcode Fuzzy Hash: 621a642aaaec539ffddbb50d876153d1af3b9850482fb30aa5d4f80cdc587214
Instruction Fuzzy Hash: EC616F75D007498FDB55CFA9C1806EEBBF2AF49700F24825ED809AB352D770A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 014CCA88, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39680c1aafaf2f13d12b6a0294f565eacdaeb0b37b2cb6609d3aa8f089813381
Instruction ID: faa6cb6eeb02aa71fbc262173142ea5e3f6631beef7c299f5805ca9909251829
Opcode Fuzzy Hash: 39680c1aafaf2f13d12b6a0294f565eacdaeb0b37b2cb6609d3aa8f089813381
Instruction Fuzzy Hash: 14517F75E007498FDB15CFA9C5806EEBBF2AF45700F24825ED808AB351E770A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014CB404, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74dbbed6425c2ab2864e51f40ee5e151a3a31c7d97873386bba20488ea97b5b5
Instruction ID: 239e7abf3a24bb16f812368506ec4f1855c4ba614a825a59d07e768c3629eac9
Opcode Fuzzy Hash: 74dbbed6425c2ab2864e51f40ee5e151a3a31c7d97873386bba20488ea97b5b5
Instruction Fuzzy Hash: 9841A134B401158FDB68ABB4E41D7BE7AF2EF88644F144429E902DB3A4EF749C42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014CC27B, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9a4b92645ec512dd5f769035631b28eb917882938baacfcffbab28dc812082
Instruction ID: 799d5089a9dc30267a787a6dd93678102d2765b6e07a0685cf26a933981ced23
Opcode Fuzzy Hash: 3b9a4b92645ec512dd5f769035631b28eb917882938baacfcffbab28dc812082
Instruction Fuzzy Hash: 1D419235A04249DFCF51CFA4C884AAEBFB2BF45314F04806BE509AB261D374E951CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014C16C8, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e9a20c81a24b7e8253556010d48e593620aca08e9b14b7fb781ea65315f559
Instruction ID: 83cc3a8d1dc1456e834304566f0fa9b9a5bdb67e29dfd9c3a0d37ca8e362fae1
Opcode Fuzzy Hash: f5e9a20c81a24b7e8253556010d48e593620aca08e9b14b7fb781ea65315f559
Instruction Fuzzy Hash: 2441F479204214CFCB168F24C844AAF7BF2FF89A44F05846AE9069B3A2CB34C811C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 014C5500, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ee35d4f59e9f38aed115978f2e4fe445e7d2ef0ec392b5f5ffcad916bcc8e8
Instruction ID: 0686ad540d069369b75baaa04f538cfd5664dcfdfc1da003084f1c730d98d72d
Opcode Fuzzy Hash: e4ee35d4f59e9f38aed115978f2e4fe445e7d2ef0ec392b5f5ffcad916bcc8e8
Instruction Fuzzy Hash: 414102353042559FCB169F29E914A6F3BE6EF99610F04806AF909CF3A2DB38DC12CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014C2618, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8a25b445c0227282b520a5a7cc85a5756812a2f1771aed02629a7dd7b078ef
Instruction ID: b7e13c6f9a1c91f34b30d0e271545fc1f1518cfdfb0cf0cca2f329d0115c162e
Opcode Fuzzy Hash: 1a8a25b445c0227282b520a5a7cc85a5756812a2f1771aed02629a7dd7b078ef
Instruction Fuzzy Hash: C641DF39A002089FCB518F68C844BBFBBB6EB84714F05C46EE9198B361D7B5DC55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014C38D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe1d9f839a48974ace623be12a68f6cb75856ee76b5fe9224ae025d0c059a91
Instruction ID: 769a15bf980c54ea9d8a87a0878fd7021abedbd448dc49810a3186f96575bcb0
Opcode Fuzzy Hash: 9fe1d9f839a48974ace623be12a68f6cb75856ee76b5fe9224ae025d0c059a91
Instruction Fuzzy Hash: D04129787002159FDB55DF29C888AAA7BB5FF88714F10806AF9068B3B1CB31ED51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014C3D08, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bee7822d1a1ac2b7e626a3b7bf9e25f77e23003c89efdecb528712f6e92a85
Instruction ID: d248ab28741a034da034411c72e1390f877dd5f5c8b947380faa56f058f9a29b
Opcode Fuzzy Hash: 73bee7822d1a1ac2b7e626a3b7bf9e25f77e23003c89efdecb528712f6e92a85
Instruction Fuzzy Hash: E521C4383042044BDB661B39955457E6B97BFC5D15B18C07FD902CBBB2DE34C843A791

Uniqueness

Uniqueness Score: -1.00%

Function 014C3D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6cbabd9f8c2fdbf42994964dbc66eaaaf75a7ddcf08ac4b1ffded11c83b6cd8
Instruction ID: 39baea22dc6133c323557b26084381f29235f8d3f6e46681cd63824a4dc881de
Opcode Fuzzy Hash: d6cbabd9f8c2fdbf42994964dbc66eaaaf75a7ddcf08ac4b1ffded11c83b6cd8
Instruction Fuzzy Hash: 4B21B3383042044BDB656A29855467F7A9BBFC4E19F14C03ED902CB7B5DE39CC83A791

Uniqueness

Uniqueness Score: -1.00%

Function 014C14F0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59972442398026bf5166c2d2a421cb16271a928d1776ed8feccff5a7f2c61377
Instruction ID: 686b766352d100d60baf2ce52cde581eafdd3c0b28535afb5883308d57ef088b
Opcode Fuzzy Hash: 59972442398026bf5166c2d2a421cb16271a928d1776ed8feccff5a7f2c61377
Instruction Fuzzy Hash: A4318F3520010AEFCF529F69D9549AF7BA6FF58A10F04802AFA16D7261CB35C9629B90

Uniqueness

Uniqueness Score: -1.00%

Function 014C3C10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b618dac3fb4546f7135c716ecda4b1731281acec3c9c2404177c82a28abcb72d
Instruction ID: b41c5d4f1a43e04b925e3716fb426a324ff7d177d588b0467740ae214befe1bf
Opcode Fuzzy Hash: b618dac3fb4546f7135c716ecda4b1731281acec3c9c2404177c82a28abcb72d
Instruction Fuzzy Hash: 0A2180367042599BD7508E6B9880AAF7BA5FB45A40B05842FF912C7360EB35DD4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 014C1627, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9f56f75ca78e88efdcc85cc13c3523993b3b619aca8cf63a8e2bda9c08df50
Instruction ID: b3e9c9d6d55947ed252c933d829a91685815728e16180fa47a4cb7d1ce2caab5
Opcode Fuzzy Hash: 9c9f56f75ca78e88efdcc85cc13c3523993b3b619aca8cf63a8e2bda9c08df50
Instruction Fuzzy Hash: C1110A3A704115ABDB529E6D68106FF3BAAEBC4E90F1C802FE609C7391DA31C8118791

Uniqueness

Uniqueness Score: -1.00%

Function 014C19E0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfde748d3ddbf1ce2daeab5cec69788307550ba7b006d8bf353886f108b2ee5
Instruction ID: ea6c5571a5f20697e82b6764e2ddc08408bb134acff4c6f63c9e2696a061c52b
Opcode Fuzzy Hash: 6bfde748d3ddbf1ce2daeab5cec69788307550ba7b006d8bf353886f108b2ee5
Instruction Fuzzy Hash: 8711C435701A118FC7259A2DC454A7B77E6BF85E65B0541BEE606CB362CF31CC428B80

Uniqueness

Uniqueness Score: -1.00%

Function 014C2608, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e62d0ecb7e17ab0d28469f60f8ca828dcbcb37037423116232a64491e7a88e
Instruction ID: d1fa0efa7b6694a27dd990226ae80893a4f06d71e26c1c5d63d4761b44e78c71
Opcode Fuzzy Hash: 02e62d0ecb7e17ab0d28469f60f8ca828dcbcb37037423116232a64491e7a88e
Instruction Fuzzy Hash: 9E215875A00208AFCB61CF58C844FABBBB5EB48724F04846FE5199B262D7B1E954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014C19F0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5728d10a024bedc455373be10f1ee59bd980e2a76c006db39e7deaa98680581
Instruction ID: 8e97f7347a3da5472d9f36aa1f582e6e8319f6c3bc6db5f34f6cba7bb1d3dcec
Opcode Fuzzy Hash: a5728d10a024bedc455373be10f1ee59bd980e2a76c006db39e7deaa98680581
Instruction Fuzzy Hash: 8D11C2393016128F87259A2DC45497BB7E6FF88E65704417EEA06CB361CF31DC4287C0

Uniqueness

Uniqueness Score: -1.00%

Function 014CC360, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacca61bb7b48ff40522cfc6ad3d62da71143ffd5de0551debc6963528be811f
Instruction ID: 53b4f4389d070f753d03285ec3c2f37361359b8b7cb3ec9b723cb850fe679b32
Opcode Fuzzy Hash: dacca61bb7b48ff40522cfc6ad3d62da71143ffd5de0551debc6963528be811f
Instruction Fuzzy Hash: 8311B4356002059BDB51CF58D8C0B6EFBA2AF85714F08C66ED5189B2B1D371F951C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 014C49B0, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39b72b7d30f7f830f52d815c992ec1af2275c50b5ce4b1c02bdda7571e685ee
Instruction ID: 378a6fa2eaa8e5d47f0434ad938ce3a733c87c2efe790d8d2a12da625c55d91c
Opcode Fuzzy Hash: d39b72b7d30f7f830f52d815c992ec1af2275c50b5ce4b1c02bdda7571e685ee
Instruction Fuzzy Hash: 32113335B002049FDB14DF59D954B9EBBB6FB8C760F148029E915A7364DB71AC10CB94

Uniqueness

Uniqueness Score: -1.00%

Function 014C54F0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3781c80aa2f5f82531068532942d35347dcb8b99a07003147eb02fe9ff1d930
Instruction ID: e351e11c18d97a9c193b78144070e7b9c5190f9551723b30ce56382334f0facc
Opcode Fuzzy Hash: d3781c80aa2f5f82531068532942d35347dcb8b99a07003147eb02fe9ff1d930
Instruction Fuzzy Hash: 7E01A9353406069FC716DF1EE84466F7BE6FF99620B05806AE50ACB365DA35EC028B61

Uniqueness

Uniqueness Score: -1.00%

Function 014CAA80, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da64e84d62ee8a279b356dad048a9a5aa9f127e2ce2912357aa91d395d37961
Instruction ID: 9ea4968ec7865779eebc92d38435e803621921ceb0c22802a614cdb8bd88da28
Opcode Fuzzy Hash: 8da64e84d62ee8a279b356dad048a9a5aa9f127e2ce2912357aa91d395d37961
Instruction Fuzzy Hash: 44F090B2D082198FC780ABB894195EE7BF5EE89220B0608BBD549D7201F6784A42CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 014CAAA8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0026a3708042812f53ef5f1908a448538954edabf0ae3f9bad4b7f4780db1f
Instruction ID: d60b43ef13b8b9b3f781528c65ceaaa943065f8fdca305d4eecb5675b16b08b1
Opcode Fuzzy Hash: 5c0026a3708042812f53ef5f1908a448538954edabf0ae3f9bad4b7f4780db1f
Instruction Fuzzy Hash: 3CE04875E001199F4790DBBDA8095AF7FF9EA8C611B15047AEA1DE3300FB745901CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 014C5D18, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8878669104fffe950a3464ba96c52d7e9931b9c3dca0d2109e309e0f4ac5fb
Instruction ID: b7ce66a1f018dadc27b7300b8f0983ffcb576e451f3b28f43aadedc422a8be12
Opcode Fuzzy Hash: 5c8878669104fffe950a3464ba96c52d7e9931b9c3dca0d2109e309e0f4ac5fb
Instruction Fuzzy Hash: 43E09235A0860083E324AB20F58803AFFF2FFC4251F1188ADE5C645164CE3288A18746

Uniqueness

Uniqueness Score: -1.00%

Function 014C4890, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 8148dd5082d860860a438729085d6b2a535e7d45253d71242611755c364d370e
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 6CC08C3B60C1386AA665108F7D50EE3BB8CC3C1AB5E29023BF51CC724098929C8141F5

Uniqueness

Uniqueness Score: -1.00%

Function 014C91C5, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413c905f3a2ea3fb055072d650093fce2b8a27ee3a88f1cf62c048297c4a5a25
Instruction ID: 840a46ea5fd29cd1f90f8136c937476ab380f992a07be71dd10507b6a798b6f6
Opcode Fuzzy Hash: 413c905f3a2ea3fb055072d650093fce2b8a27ee3a88f1cf62c048297c4a5a25
Instruction Fuzzy Hash: 9AD01239F01144CFDB58DFA4F8582ACB7B2FBC8325F108466D506D6548CB3019568F40

Uniqueness

Uniqueness Score: -1.00%

Function 014C1D70, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa287faa743f870ddb5085f025af46c03406824900e677424b485dabb48875bc
Instruction ID: 8fd880e038f2aebb73a12644a176296dfd6571f0d3c589a1b9606b145f69d9aa
Opcode Fuzzy Hash: aa287faa743f870ddb5085f025af46c03406824900e677424b485dabb48875bc
Instruction Fuzzy Hash: 84E05B304587059FCB50AF38E5459E637A6EF8121EB02CDB5D1158B1BECFB61972CB05

Uniqueness

Uniqueness Score: -1.00%

Function 014CF7E0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b431331de5a2d58d3c34cd2f46ee3935bf356bf1803a18b0a8366392272a3245
Instruction ID: f0455d0be7c03cba5d198c5993e7083ff50992295b2cc5f3209c770ef23f39a5
Opcode Fuzzy Hash: b431331de5a2d58d3c34cd2f46ee3935bf356bf1803a18b0a8366392272a3245
Instruction Fuzzy Hash: 52C0123008AB814FCB474AA09824A823FEDAB4237175A00C2D040CB062CAAC0D82C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 014C1D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93d8d7dee381a1df7365fb5967793f87b24b41bb19be09dabe003fb76a2db6c
Instruction ID: 307d31b20d17ff0b623fbfdc0978b85a5101ea227511a7dfe0296988b56ce9cb
Opcode Fuzzy Hash: f93d8d7dee381a1df7365fb5967793f87b24b41bb19be09dabe003fb76a2db6c
Instruction Fuzzy Hash: AAC012304587094E8550FB79E541466339B96C011D740CD25D2048A26CDFFA5A664795

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 014C1F60, Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

l, xrefs: 014C1F9E
l, xrefs: 014C1F76
l, xrefs: 014C1F6C
l, xrefs: 014C1F92

Memory Dump Source

Source File: 00000003.00000002.907660422.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID: l$ l$ l$ l
API String ID: 0-2269808124
Opcode ID: d92b7509f2e78a88e1c382831a3978997bbb0bffd3e9fb0d6aac743a063d3920
Instruction ID: 6bb9c18b3bf22a085a175c9e93d0de919e0da86dd0377958217413496d491e09
Opcode Fuzzy Hash: d92b7509f2e78a88e1c382831a3978997bbb0bffd3e9fb0d6aac743a063d3920
Instruction Fuzzy Hash: AE019E39710006CF9794AA2DC02192BB7A9AFAAF60B15417FE541CB372DB30DC428781

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report tLes2JdtRw.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre