Play interactive tour

Edit tour

Analysis Report W9YDH79i8G.exe

Overview

General Information

Sample Name:	W9YDH79i8G.exe
Analysis ID:	412503
MD5:	cdebc3e47db1dbeac624dd329c1a9ae1
SHA1:	ceee8ff397069a606b3bbef0d54a4175a1de9a0e
SHA256:	0fa77ee6af812f5513bf0ae73a02143a4ed3a037e884aeccc57576f460a9ea57
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

W9YDH79i8G.exe (PID: 5656 cmdline: 'C:\Users\user\Desktop\W9YDH79i8G.exe' MD5: CDEBC3E47DB1DBEAC624DD329C1A9AE1)

schtasks.exe (PID: 6168 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KcsilHD' /XML 'C:\Users\user\AppData\Local\Temp\tmp4276.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

W9YDH79i8G.exe (PID: 6232 cmdline: C:\Users\user\Desktop\W9YDH79i8G.exe MD5: CDEBC3E47DB1DBEAC624DD329C1A9AE1)

W9YDH79i8G.exe (PID: 6248 cmdline: C:\Users\user\Desktop\W9YDH79i8G.exe MD5: CDEBC3E47DB1DBEAC624DD329C1A9AE1)

W9YDH79i8G.exe (PID: 6280 cmdline: C:\Users\user\Desktop\W9YDH79i8G.exe MD5: CDEBC3E47DB1DBEAC624DD329C1A9AE1)

W9YDH79i8G.exe (PID: 6316 cmdline: C:\Users\user\Desktop\W9YDH79i8G.exe MD5: CDEBC3E47DB1DBEAC624DD329C1A9AE1)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "shekhar@ocl-india.icu@Mexico1.,mail.privateemail.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.254574303.00000000042F9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.254574303.00000000042F9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000002.497673320.0000000003286000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.497762134.00000000032B3000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: W9YDH79i8G.exe PID: 5656	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: W9YDH79i8G.exe PID: 5656	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: W9YDH79i8G.exe PID: 6316	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: W9YDH79i8G.exe PID: 6316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.W9YDH79i8G.exe.4428d80.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.W9YDH79i8G.exe.4428d80.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.W9YDH79i8G.exe.4428d80.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.W9YDH79i8G.exe.4428d80.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
7.2.W9YDH79i8G.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.W9YDH79i8G.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "shekhar@ocl-india.icu@Mexico1.,mail.privateemail.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\KcsilHD.exe

ReversingLabs: Detection: 40%

Multi AV Scanner detection for submitted file

Show sources

Source: W9YDH79i8G.exe	Virustotal: Detection: 35%			Perma Link
Source: W9YDH79i8G.exe	ReversingLabs: Detection: 40%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\KcsilHD.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: W9YDH79i8G.exe

Joe Sandbox ML: detected

Source: 7.2.W9YDH79i8G.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: W9YDH79i8G.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: W9YDH79i8G.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0BCE62D8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0BCE638C
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0BCE62C8

Source: global traffic

TCP traffic: 192.168.2.7:49736 -> 198.54.122.60:587

Source: Joe Sandbox View

IP Address: 198.54.122.60 198.54.122.60

Source: global traffic

TCP traffic: 192.168.2.7:49736 -> 198.54.122.60:587

Source: unknown

DNS traffic detected: queries for: mail.privateemail.com

Source: W9YDH79i8G.exe, 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: W9YDH79i8G.exe, 00000007.00000002.497762134.00000000032B3000.00000004.00000001.sdmp	String found in binary or memory: http://3yctoQGYo4sp.com
Source: W9YDH79i8G.exe, 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: W9YDH79i8G.exe, 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: http://HVIItO.com
Source: W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: W9YDH79i8G.exe, 00000007.00000002.506767918.0000000007060000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: W9YDH79i8G.exe, 00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp, W9YDH79i8G.exe, 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: W9YDH79i8G.exe, 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Code function: 7_2_01706948 SetWindowsHookExW 0000000D,00000000,?,?

7_2_01706948

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\W9YDH79i8G.exe

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 7.2.W9YDH79i8G.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b803C5E9Cu002d14DDu002d4654u002dAB48u002d30D470F4522Du007d/u00317C32930u002d2054u002d481Au002dB4A9u002d68C206A86293.cs

Large array initialization: .cctor: array initializer size 11936

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_00F02E25	0_2_00F02E25
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE511C	0_2_0BCE511C
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE18F8	0_2_0BCE18F8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE3048	0_2_0BCE3048
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE1FB8	0_2_0BCE1FB8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE25D0	0_2_0BCE25D0
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE1588	0_2_0BCE1588
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE33F8	0_2_0BCE33F8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE18E8	0_2_0BCE18E8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE3039	0_2_0BCE3039
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE1FA8	0_2_0BCE1FA8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE0700	0_2_0BCE0700
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE0710	0_2_0BCE0710
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE3626	0_2_0BCE3626
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE25C0	0_2_0BCE25C0
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE35C1	0_2_0BCE35C1
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE1578	0_2_0BCE1578
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE3408	0_2_0BCE3408
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 3_2_00242E25	3_2_00242E25
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 4_2_00322E25	4_2_00322E25
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 6_2_00142E25	6_2_00142E25
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_00F22E25	7_2_00F22E25
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_014C5608	7_2_014C5608
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_014C46C0	7_2_014C46C0
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_014C06A8	7_2_014C06A8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_016F3F78	7_2_016F3F78
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_016FEE68	7_2_016FEE68
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_016F4A47	7_2_016F4A47
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_016F9E58	7_2_016F9E58
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_016FB240	7_2_016FB240
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_017011B0	7_2_017011B0
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_01704870	7_2_01704870
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_017081E8	7_2_017081E8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_01735958	7_2_01735958
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173E0D0	7_2_0173E0D0
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_017366B8	7_2_017366B8
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173EAB8	7_2_0173EAB8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\KcsilHD.exe 0FA77EE6AF812F5513BF0AE73A02143A4ED3A037E884AECCC57576F460A9EA57

Source: W9YDH79i8G.exe	Binary or memory string: OriginalFilename vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000000.00000002.259927781.000000000C360000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJUZFLaLNGVPGsrhHohqG.exe4 vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000000.00000002.252651996.00000000032F1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000000.00000002.258927770.0000000006750000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000000.00000002.260065297.000000000C460000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000000.00000002.260065297.000000000C460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe	Binary or memory string: OriginalFilename vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe	Binary or memory string: OriginalFilename vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe	Binary or memory string: OriginalFilename vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe	Binary or memory string: OriginalFilename vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000007.00000002.496407374.00000000016E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000007.00000002.506580834.0000000006BA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000007.00000002.495042484.0000000001388000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameJUZFLaLNGVPGsrhHohqG.exe4 vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe, 00000007.00000002.496608102.0000000001710000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs W9YDH79i8G.exe
Source: W9YDH79i8G.exe	Binary or memory string: OriginalFilenameAsyncCausalityTracer.exeR vs W9YDH79i8G.exe

Source: W9YDH79i8G.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: W9YDH79i8G.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: KcsilHD.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.W9YDH79i8G.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.W9YDH79i8G.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 0.2.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 0.2.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 3.2.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 3.2.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 7.2.W9YDH79i8G.exe.f20000.1.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 7.2.W9YDH79i8G.exe.f20000.1.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 7.2.W9YDH79i8G.exe.f20000.1.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 0.0.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 0.0.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 4.0.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 4.0.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 4.0.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 6.0.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 6.0.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 4.0.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 4.0.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 4.2.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 4.2.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 3.0.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 3.0.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 4.2.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 4.2.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 4.2.W9YDH79i8G.exe.320000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 0.2.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 0.2.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 0.0.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 0.0.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 0.0.W9YDH79i8G.exe.f00000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 6.2.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 6.2.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 7.0.W9YDH79i8G.exe.f20000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 7.0.W9YDH79i8G.exe.f20000.0.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: W9YDH79i8G.exe, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: W9YDH79i8G.exe, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: W9YDH79i8G.exe, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 3.0.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 3.0.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 3.0.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: W9YDH79i8G.exe, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: W9YDH79i8G.exe, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: KcsilHD.exe.0.dr, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: KcsilHD.exe.0.dr, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: KcsilHD.exe.0.dr, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 7.0.W9YDH79i8G.exe.f20000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 7.0.W9YDH79i8G.exe.f20000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 7.0.W9YDH79i8G.exe.f20000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 3.2.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 3.2.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 3.2.W9YDH79i8G.exe.240000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: KcsilHD.exe.0.dr, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: KcsilHD.exe.0.dr, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 7.2.W9YDH79i8G.exe.f20000.1.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Void TCP_Protocol.Packet::set_Payload(System.Byte[])
Source: 7.2.W9YDH79i8G.exe.f20000.1.unpack, TCP_Protocol/Packet.cs	Suspicious method names: System.Byte[] TCP_Protocol.Packet::get_Payload()
Source: 6.2.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 6.2.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 6.2.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)
Source: 6.0.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Object TCP_Protocol.TypeExt::PayloadGet(TCP_Protocol.Packet)
Source: 6.0.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: TCP_Protocol.Packet TCP_Protocol.TypeExt::PayloadSet(TCP_Protocol.Packet&,System.Byte[])
Source: 6.0.W9YDH79i8G.exe.140000.0.unpack, TCP_Protocol/TypeExt.cs	Suspicious method names: System.Boolean TCP_Protocol.TypeExt::PayloadValidate(TCP_Protocol.Packet)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/4@1/1

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

File created: C:\Users\user\AppData\Roaming\KcsilHD.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_01
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Mutant created: \Sessions\1\BaseNamedObjects\xZakExqTbRWYflheguXiulchcZp

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4276.tmp

Jump to behavior

Source: W9YDH79i8G.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: W9YDH79i8G.exe	Virustotal: Detection: 35%
Source: W9YDH79i8G.exe	ReversingLabs: Detection: 40%

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

File read: C:\Users\user\Desktop\W9YDH79i8G.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe 'C:\Users\user\Desktop\W9YDH79i8G.exe'
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KcsilHD' /XML 'C:\Users\user\AppData\Local\Temp\tmp4276.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KcsilHD' /XML 'C:\Users\user\AppData\Local\Temp\tmp4276.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe	Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: W9YDH79i8G.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: W9YDH79i8G.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 0_2_0BCE7025 push FFFFFF8Bh; iretd	0_2_0BCE7027
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_014C3850 pushad ; iretd	7_2_014C3851
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D550 pushfd ; retf	7_2_0173D591
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D500 pushfd ; retf	7_2_0173D501
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D468 pushfd ; retf	7_2_0173D4AD
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D468 pushfd ; retf	7_2_0173D4D9
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D45C pushfd ; retf	7_2_0173D461
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D4F0 pushfd ; retf	7_2_0173D4F1
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D4F4 pushfd ; retf	7_2_0173D4F5
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D4F8 pushfd ; retf	7_2_0173D4F9
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D4E0 pushfd ; retf	7_2_0173D4E1
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D4E4 pushfd ; retf	7_2_0173D4E5
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D4E8 pushfd ; retf	7_2_0173D4E9
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D4EC pushfd ; retf	7_2_0173D4ED
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D4DC pushfd ; retf	7_2_0173D4DD
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D378 pushfd ; retf	7_2_0173D37D
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D32C pushfd ; retf	7_2_0173D331
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D3D0 pushfd ; retf	7_2_0173D415
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D3C4 pushfd ; retf	7_2_0173D3C9
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173B39F push edi; retn 0000h	7_2_0173B3A1
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D2E0 pushfd ; retf	7_2_0173D2E5
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Code function: 7_2_0173D294 pushfd ; retf	7_2_0173D299

Source: initial sample	Static PE information: section name: .text entropy: 7.98266183828
Source: initial sample	Static PE information: section name: .text entropy: 7.98266183828

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

File created: C:\Users\user\AppData\Roaming\KcsilHD.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KcsilHD' /XML 'C:\Users\user\AppData\Local\Temp\tmp4276.tmp'

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: W9YDH79i8G.exe PID: 5656, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Window / User API: threadDelayed 3877			Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Window / User API: threadDelayed 5920			Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe TID: 6112	Thread sleep time: -99783s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe TID: 6112	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe TID: 5564	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe TID: 6828	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe TID: 6836	Thread sleep count: 3877 > 30	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe TID: 6828	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe TID: 6836	Thread sleep count: 5920 > 30	Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Thread delayed: delay time: 99783	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Code function: 7_2_017011B0 LdrInitializeThunk,

7_2_017011B0

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Memory written: C:\Users\user\Desktop\W9YDH79i8G.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KcsilHD' /XML 'C:\Users\user\AppData\Local\Temp\tmp4276.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Process created: C:\Users\user\Desktop\W9YDH79i8G.exe C:\Users\user\Desktop\W9YDH79i8G.exe	Jump to behavior

Source: W9YDH79i8G.exe, 00000007.00000002.497128038.0000000001C70000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: W9YDH79i8G.exe, 00000007.00000002.497128038.0000000001C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: W9YDH79i8G.exe, 00000007.00000002.497128038.0000000001C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: W9YDH79i8G.exe, 00000007.00000002.497128038.0000000001C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Users\user\Desktop\W9YDH79i8G.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Users\user\Desktop\W9YDH79i8G.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.254574303.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.W9YDH79i8G.exe.4428d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.W9YDH79i8G.exe.4428d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.W9YDH79i8G.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.254574303.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.497673320.0000000003286000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.497762134.00000000032B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: W9YDH79i8G.exe PID: 5656, type: MEMORY
Source: Yara match	File source: Process Memory Space: W9YDH79i8G.exe PID: 6316, type: MEMORY
Source: Yara match	File source: 0.2.W9YDH79i8G.exe.4428d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.W9YDH79i8G.exe.4428d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.W9YDH79i8G.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\W9YDH79i8G.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\W9YDH79i8G.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: W9YDH79i8G.exe PID: 6316, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.254574303.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.W9YDH79i8G.exe.4428d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.W9YDH79i8G.exe.4428d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.W9YDH79i8G.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.254574303.00000000042F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.497673320.0000000003286000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.497762134.00000000032B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: W9YDH79i8G.exe PID: 5656, type: MEMORY
Source: Yara match	File source: Process Memory Space: W9YDH79i8G.exe PID: 6316, type: MEMORY
Source: Yara match	File source: 0.2.W9YDH79i8G.exe.4428d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.W9YDH79i8G.exe.4428d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.W9YDH79i8G.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Input Capture21	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing3	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion141	Cached Domain Credentials	Virtualization/Sandbox Evasion141	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
W9YDH79i8G.exe	35%	Virustotal		Browse
W9YDH79i8G.exe	40%	ReversingLabs	Win32.Trojan.AgentTesla
W9YDH79i8G.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\KcsilHD.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\KcsilHD.exe	40%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.W9YDH79i8G.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://HVIItO.com	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://3yctoQGYo4sp.com	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.privateemail.com	198.54.122.60	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	W9YDH79i8G.exe, 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://HVIItO.com	W9YDH79i8G.exe, 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	W9YDH79i8G.exe, 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://3yctoQGYo4sp.com	W9YDH79i8G.exe, 00000007.00000002.497762134.00000000032B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.privateemail.com	W9YDH79i8G.exe, 00000007.00000002.497963649.0000000003314000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	W9YDH79i8G.exe, 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	W9YDH79i8G.exe, 00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp, W9YDH79i8G.exe, 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	W9YDH79i8G.exe, 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.122.60	mail.privateemail.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412503
Start date:	12.05.2021
Start time:	18:32:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	W9YDH79i8G.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/4@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.5% (good quality ratio 5.5%) Quality average: 68.3% Quality standard deviation: 33.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 87 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.210.154, 168.61.161.212, 104.43.139.144, 92.122.145.220, 52.147.198.201, 104.43.193.48, 184.30.24.56, 20.82.209.183, 92.122.213.247, 92.122.213.194, 13.107.4.50, 2.20.143.16, 2.20.142.209, 20.50.102.62, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, Edge-Prod-FRA.env.au.au-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, elasticShed.au.au-msedge.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:33:47	API Interceptor	716x Sleep call for process: W9YDH79i8G.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
198.54.122.60	Ko4zQgTBHv.exe	Get hash	malicious	Browse
	wed.doc	Get hash	malicious	Browse
	ORDER CONFIRMATION.doc	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Packed2.43091.10004.exe	Get hash	malicious	Browse
	6e5c05e1_by_Libranalysis.exe	Get hash	malicious	Browse
	RFQ Plasma cutting machine.doc	Get hash	malicious	Browse
	337840b9_by_Libranalysis.exe	Get hash	malicious	Browse
	vy38Kw9qRh.exe	Get hash	malicious	Browse
	ePj6KfzLBxh4vbe.exe	Get hash	malicious	Browse
	zkXpISzeo3.exe	Get hash	malicious	Browse
	yl9KgwwOXDZoGMw.exe	Get hash	malicious	Browse
	8DL3LHg4SB6Q7z2.exe	Get hash	malicious	Browse
	01217a79_by_Libranalysis.exe	Get hash	malicious	Browse
	5iRqi4LmLF.exe	Get hash	malicious	Browse
	6f37L7HNqo.exe	Get hash	malicious	Browse
	IqRG5ZzYOH.exe	Get hash	malicious	Browse
	PO 4302003683.doc	Get hash	malicious	Browse
	Tender Overview 10052021.doc	Get hash	malicious	Browse
	ORDER 10.05.doc	Get hash	malicious	Browse
	purchase request.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.privateemail.com	Ko4zQgTBHv.exe	Get hash	malicious	Browse	198.54.122.60
	wed.doc	Get hash	malicious	Browse	198.54.122.60
	ORDER CONFIRMATION.doc	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.Packed2.43091.10004.exe	Get hash	malicious	Browse	198.54.122.60
	6e5c05e1_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	RFQ Plasma cutting machine.doc	Get hash	malicious	Browse	198.54.122.60
	337840b9_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	vy38Kw9qRh.exe	Get hash	malicious	Browse	198.54.122.60
	ePj6KfzLBxh4vbe.exe	Get hash	malicious	Browse	198.54.122.60
	zkXpISzeo3.exe	Get hash	malicious	Browse	198.54.122.60
	yl9KgwwOXDZoGMw.exe	Get hash	malicious	Browse	198.54.122.60
	8DL3LHg4SB6Q7z2.exe	Get hash	malicious	Browse	198.54.122.60
	01217a79_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	5iRqi4LmLF.exe	Get hash	malicious	Browse	198.54.122.60
	6f37L7HNqo.exe	Get hash	malicious	Browse	198.54.122.60
	IqRG5ZzYOH.exe	Get hash	malicious	Browse	198.54.122.60
	PO 4302003683.doc	Get hash	malicious	Browse	198.54.122.60
	Tender Overview 10052021.doc	Get hash	malicious	Browse	198.54.122.60
	ORDER 10.05.doc	Get hash	malicious	Browse	198.54.122.60
	purchase request.doc	Get hash	malicious	Browse	198.54.122.60

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	Ko4zQgTBHv.exe	Get hash	malicious	Browse	198.54.122.60
	Purchase Order.exe	Get hash	malicious	Browse	198.54.126.165
	wed.doc	Get hash	malicious	Browse	198.54.122.60
	ORDER CONFIRMATION.doc	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.Packed2.43091.10004.exe	Get hash	malicious	Browse	198.54.122.60
	6e5c05e1_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	RFQ Plasma cutting machine.doc	Get hash	malicious	Browse	198.54.122.60
	Order 122001-220 guanzo.exe	Get hash	malicious	Browse	198.54.117.216
	main_setup_x86x64.exe	Get hash	malicious	Browse	162.255.119.164
	00098765123POIIU.exe	Get hash	malicious	Browse	199.192.23.253
	e8eRhf3GM0.xlsm	Get hash	malicious	Browse	185.61.154.27
	2021_May_Quotation_pdf.exe	Get hash	malicious	Browse	198.54.115.133
	337840b9_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.122.60
	Citvonvhciktufwvyzyhistnewdjgsoqdr.exe	Get hash	malicious	Browse	198.54.117.212
	Updated Order list -804333.exe	Get hash	malicious	Browse	198.54.115.56
	NAVTECO_R1_10_05_2021,pdf.exe	Get hash	malicious	Browse	198.54.117.212
	BELLOW FABRICATION Dwg.exe	Get hash	malicious	Browse	199.188.200.15
	file.exe	Get hash	malicious	Browse	198.54.115.133
	scan of document 5336227.xlsm	Get hash	malicious	Browse	162.0.233.152
	vy38Kw9qRh.exe	Get hash	malicious	Browse	198.54.122.60

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\KcsilHD.exe	ORDER CONFIRMATION.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\W9YDH79i8G.exe.log Download File
Process:	C:\Users\user\Desktop\W9YDH79i8G.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp4276.tmp Download File
Process:	C:\Users\user\Desktop\W9YDH79i8G.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1656
Entropy (8bit):	5.167020690421923
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBUtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3U
MD5:	AF08A3DA8E0E3155FF47F61E57B341B6
SHA1:	5348054A4725F8F5E7605998FFE8F700D1765F54
SHA-256:	42D91FCF4B78A320EB132A20C82AD4D51EE2FEC556E836D41473BB1AAEF5DB6A
SHA-512:	5EA07A7C08C1515CB655F2C21572F82F63F1065A27C7E8C9B5BEC29C4D1CDE2D99D2CDF432E2158EC89BC1F191BBB294F0B3C6DC0CD417F91E54CC29B29EE5B5
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Roaming\KcsilHD.exe Download File
Process:	C:\Users\user\Desktop\W9YDH79i8G.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846336
Entropy (8bit):	7.9780435401207574
Encrypted:	false
SSDEEP:	24576:imn4+yPg0Ip0DImJyhjDDRPm7C56SOyFhLlSb2:irZP5IaHkR+7C5iyFhLl0
MD5:	CDEBC3E47DB1DBEAC624DD329C1A9AE1
SHA1:	CEEE8FF397069A606B3BBEF0D54A4175A1DE9A0E
SHA-256:	0FA77EE6AF812F5513BF0AE73A02143A4ED3A037E884AECCC57576F460A9EA57
SHA-512:	A6397B1517BD85F13395B874188BB93D46C2E77DA9C054DC1F762441BA292D6CD54F9711CAE28A513B8AB58E4111C376724400E7A424AA12822D90032B38648A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 40%
Joe Sandbox View:	Filename: ORDER CONFIRMATION.doc, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`..............P.............J.... ........@.. .......................@............@.....................................O.......p.................... ....................................................... ............... ..H............text...X.... ...................... ..`.rsrc...p...........................@..@.reloc....... ......................@..B................,.......H.......@A...R....../........i............................................(.....0............(......o....o......,...(....(.........s....o ...(......(!.....,L....s"......o#...($.......U...(.......(......(.....io%...&....,..o&......+.....U...(..............L.3........0..Q.........(.........,A.(!...,..+....,..('.......((...s)......(....o........,..o&................3..B.......0..!.........u.........,...t....Q..+....+..*....0..@........r...p.(.....(.....i...(+....(....-.~,..

C:\Users\user\AppData\Roaming\KcsilHD.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\W9YDH79i8G.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9780435401207574
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	W9YDH79i8G.exe
File size:	846336
MD5:	cdebc3e47db1dbeac624dd329c1a9ae1
SHA1:	ceee8ff397069a606b3bbef0d54a4175a1de9a0e
SHA256:	0fa77ee6af812f5513bf0ae73a02143a4ed3a037e884aeccc57576f460a9ea57
SHA512:	a6397b1517bd85f13395b874188bb93d46c2e77da9c054dc1f762441ba292d6cd54f9711cae28a513b8ab58e4111c376724400e7a424aa12822d90032b38648a
SSDEEP:	24576:imn4+yPg0Ip0DImJyhjDDRPm7C56SOyFhLlSb2:irZP5IaHkR+7C5iyFhLl0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............J.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4cfd4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609AF3E2 [Tue May 11 21:15:14 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
inc ebp
dec edi
push eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcfcf8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd0000	0x670	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcdd58	0xcde00	False	0.982190630692	data	7.98266183828	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xd0000	0x670	0x800	False	0.345703125	data	3.55057718956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xd0090	0x3e0	data
RT_MANIFEST	0xd0480	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Barret 2017 - 2021
Assembly Version	1.0.0.0
InternalName	AsyncCausalityTracer.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments	Settings for TCP connections
ProductName	Framework - TCP Protocol
ProductVersion	1.0.0.0
FileDescription	Framework - TCP Protocol
OriginalFilename	AsyncCausalityTracer.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 18:35:29.670989990 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:29.865370035 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:29.867326021 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:30.099402905 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.099864960 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:30.293721914 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.294054985 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.294796944 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:30.488758087 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.533360958 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:30.729345083 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.730861902 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.730899096 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.730920076 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.730942965 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.731009007 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:30.771229029 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:30.966413975 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:30.967308998 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.012789965 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:31.056408882 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:31.252953053 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.252980947 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.262046099 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:31.455735922 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.456871033 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.457626104 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:31.652164936 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.654834032 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.655723095 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:31.849677086 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.852600098 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:31.853085041 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:32.047009945 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:32.086910963 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:32.087454081 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:32.281621933 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:32.282399893 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:32.287432909 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:32.287549973 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:32.287616968 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:32.287689924 CEST	49736	587	192.168.2.7	198.54.122.60
May 12, 2021 18:35:32.481466055 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:32.570746899 CEST	587	49736	198.54.122.60	192.168.2.7
May 12, 2021 18:35:32.622329950 CEST	49736	587	192.168.2.7	198.54.122.60

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 18:33:38.219392061 CEST	62452	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:38.278716087 CEST	53	62452	8.8.8.8	192.168.2.7
May 12, 2021 18:33:38.310179949 CEST	57820	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:38.372602940 CEST	53	57820	8.8.8.8	192.168.2.7
May 12, 2021 18:33:38.889776945 CEST	50848	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:38.938575029 CEST	53	50848	8.8.8.8	192.168.2.7
May 12, 2021 18:33:40.599807978 CEST	61242	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:40.652945042 CEST	53	61242	8.8.8.8	192.168.2.7
May 12, 2021 18:33:41.375370026 CEST	58562	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:41.435806990 CEST	53	58562	8.8.8.8	192.168.2.7
May 12, 2021 18:33:41.682656050 CEST	56590	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:41.733218908 CEST	53	56590	8.8.8.8	192.168.2.7
May 12, 2021 18:33:42.993810892 CEST	60501	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:43.054022074 CEST	53	60501	8.8.8.8	192.168.2.7
May 12, 2021 18:33:44.013274908 CEST	53775	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:44.065963984 CEST	53	53775	8.8.8.8	192.168.2.7
May 12, 2021 18:33:44.978102922 CEST	51837	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:45.029982090 CEST	53	51837	8.8.8.8	192.168.2.7
May 12, 2021 18:33:46.354953051 CEST	55411	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:46.405982971 CEST	53	55411	8.8.8.8	192.168.2.7
May 12, 2021 18:33:47.701719046 CEST	63668	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:47.750437021 CEST	53	63668	8.8.8.8	192.168.2.7
May 12, 2021 18:33:49.096115112 CEST	54640	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:49.144995928 CEST	53	54640	8.8.8.8	192.168.2.7
May 12, 2021 18:33:51.494324923 CEST	58739	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:51.546130896 CEST	53	58739	8.8.8.8	192.168.2.7
May 12, 2021 18:33:53.428333998 CEST	60338	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:53.478770018 CEST	53	60338	8.8.8.8	192.168.2.7
May 12, 2021 18:33:54.205084085 CEST	58717	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:54.253799915 CEST	53	58717	8.8.8.8	192.168.2.7
May 12, 2021 18:33:55.399101019 CEST	59762	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:55.450783968 CEST	53	59762	8.8.8.8	192.168.2.7
May 12, 2021 18:33:57.007155895 CEST	54329	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:57.056205988 CEST	53	54329	8.8.8.8	192.168.2.7
May 12, 2021 18:33:57.853051901 CEST	58052	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:57.904751062 CEST	53	58052	8.8.8.8	192.168.2.7
May 12, 2021 18:33:58.752854109 CEST	54008	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:58.801477909 CEST	53	54008	8.8.8.8	192.168.2.7
May 12, 2021 18:33:59.546153069 CEST	59451	53	192.168.2.7	8.8.8.8
May 12, 2021 18:33:59.594888926 CEST	53	59451	8.8.8.8	192.168.2.7
May 12, 2021 18:34:01.312114954 CEST	52914	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:01.360932112 CEST	53	52914	8.8.8.8	192.168.2.7
May 12, 2021 18:34:03.235868931 CEST	64569	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:03.297327995 CEST	53	64569	8.8.8.8	192.168.2.7
May 12, 2021 18:34:03.376880884 CEST	52816	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:03.425638914 CEST	53	52816	8.8.8.8	192.168.2.7
May 12, 2021 18:34:04.312475920 CEST	50781	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:04.361272097 CEST	53	50781	8.8.8.8	192.168.2.7
May 12, 2021 18:34:05.374078989 CEST	54230	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:05.422889948 CEST	53	54230	8.8.8.8	192.168.2.7
May 12, 2021 18:34:16.277774096 CEST	54911	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:16.346321106 CEST	53	54911	8.8.8.8	192.168.2.7
May 12, 2021 18:34:27.371154070 CEST	49958	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:27.430054903 CEST	53	49958	8.8.8.8	192.168.2.7
May 12, 2021 18:34:33.539928913 CEST	50860	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:33.588852882 CEST	53	50860	8.8.8.8	192.168.2.7
May 12, 2021 18:34:33.686065912 CEST	50452	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:33.743349075 CEST	53	50452	8.8.8.8	192.168.2.7
May 12, 2021 18:34:58.687050104 CEST	59730	53	192.168.2.7	8.8.8.8
May 12, 2021 18:34:58.746838093 CEST	53	59730	8.8.8.8	192.168.2.7
May 12, 2021 18:35:02.738291979 CEST	59310	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:02.801356077 CEST	53	59310	8.8.8.8	192.168.2.7
May 12, 2021 18:35:23.399950981 CEST	51919	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:23.548990965 CEST	53	51919	8.8.8.8	192.168.2.7
May 12, 2021 18:35:24.151328087 CEST	64296	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:24.210515976 CEST	53	64296	8.8.8.8	192.168.2.7
May 12, 2021 18:35:24.819634914 CEST	56680	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:24.876698017 CEST	53	56680	8.8.8.8	192.168.2.7
May 12, 2021 18:35:25.079459906 CEST	58820	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:25.157521963 CEST	53	58820	8.8.8.8	192.168.2.7
May 12, 2021 18:35:25.492592096 CEST	60983	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:25.617566109 CEST	53	60983	8.8.8.8	192.168.2.7
May 12, 2021 18:35:26.262207985 CEST	49247	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:26.319638968 CEST	53	49247	8.8.8.8	192.168.2.7
May 12, 2021 18:35:26.979278088 CEST	52286	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:27.039125919 CEST	53	52286	8.8.8.8	192.168.2.7
May 12, 2021 18:35:27.696122885 CEST	56064	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:27.754156113 CEST	53	56064	8.8.8.8	192.168.2.7
May 12, 2021 18:35:28.996915102 CEST	63744	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:29.056936979 CEST	53	63744	8.8.8.8	192.168.2.7
May 12, 2021 18:35:29.559542894 CEST	61457	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:29.616543055 CEST	53	61457	8.8.8.8	192.168.2.7
May 12, 2021 18:35:30.227416992 CEST	58367	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:30.292738914 CEST	53	58367	8.8.8.8	192.168.2.7
May 12, 2021 18:35:30.789813042 CEST	60599	53	192.168.2.7	8.8.8.8
May 12, 2021 18:35:30.840092897 CEST	53	60599	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 18:35:29.559542894 CEST	192.168.2.7	8.8.8.8	0x264a	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 18:35:29.616543055 CEST	8.8.8.8	192.168.2.7	0x264a	No error (0)	mail.privateemail.com		198.54.122.60	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 12, 2021 18:35:30.099402905 CEST	587	49736	198.54.122.60	192.168.2.7	220 PrivateEmail.com Mail Node
May 12, 2021 18:35:30.099864960 CEST	49736	587	192.168.2.7	198.54.122.60	EHLO 899552
May 12, 2021 18:35:30.294054985 CEST	587	49736	198.54.122.60	192.168.2.7	250-MTA-09.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 STARTTLS
May 12, 2021 18:35:30.294796944 CEST	49736	587	192.168.2.7	198.54.122.60	STARTTLS
May 12, 2021 18:35:30.488758087 CEST	587	49736	198.54.122.60	192.168.2.7	220 Ready to start TLS

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: W9YDH79i8G.exe PID: 5656 Parent PID: 5776

General

Start time:	18:33:45
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\W9YDH79i8G.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\W9YDH79i8G.exe'
Imagebase:	0xf00000
File size:	846336 bytes
MD5 hash:	CDEBC3E47DB1DBEAC624DD329C1A9AE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.252742797.0000000003334000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.254574303.00000000042F9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.254574303.00000000042F9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.254886399.0000000004412000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6168 Parent PID: 5656

General

Start time:	18:33:51
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KcsilHD' /XML 'C:\Users\user\AppData\Local\Temp\tmp4276.tmp'
Imagebase:	0xb80000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6188 Parent PID: 6168

General

Start time:	18:33:52
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: W9YDH79i8G.exe PID: 6232 Parent PID: 5656

General

Start time:	18:33:53
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\W9YDH79i8G.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\W9YDH79i8G.exe
Imagebase:	0x240000
File size:	846336 bytes
MD5 hash:	CDEBC3E47DB1DBEAC624DD329C1A9AE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: W9YDH79i8G.exe PID: 6248 Parent PID: 5656

General

Start time:	18:33:54
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\W9YDH79i8G.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\W9YDH79i8G.exe
Imagebase:	0x320000
File size:	846336 bytes
MD5 hash:	CDEBC3E47DB1DBEAC624DD329C1A9AE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: W9YDH79i8G.exe PID: 6280 Parent PID: 5656

General

Start time:	18:33:54
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\W9YDH79i8G.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\W9YDH79i8G.exe
Imagebase:	0x140000
File size:	846336 bytes
MD5 hash:	CDEBC3E47DB1DBEAC624DD329C1A9AE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: W9YDH79i8G.exe PID: 6316 Parent PID: 5656

General

Start time:	18:33:55
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\W9YDH79i8G.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\W9YDH79i8G.exe
Imagebase:	0xf20000
File size:	846336 bytes
MD5 hash:	CDEBC3E47DB1DBEAC624DD329C1A9AE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.497630354.0000000003251000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.494321847.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.497673320.0000000003286000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.497762134.00000000032B3000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: W9YDH79i8G.exe PID: 5656 Parent PID: 5776 W9YDH79i8G.exeCOMMON

Executed Functions

Function 0BCE3048, Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

b46r, xrefs: 0BCE309D
GQ[, xrefs: 0BCE3190

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: GQ[$b46r
API String ID: 0-3196810998
Opcode ID: 259a7be1091b4b9379c7be0ba59334db5ace986a7c499f34381e73515bf88f90
Instruction ID: 81354c90bb0c1828951c75de20aa62e8c5539c97d5a997a07bda106d008bae59
Opcode Fuzzy Hash: 259a7be1091b4b9379c7be0ba59334db5ace986a7c499f34381e73515bf88f90
Instruction Fuzzy Hash: 0591F674E15249CFCB05DFEAD5855AEFBB2EF89700F20942AD425BB314D734AA028F94

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE3039, Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

b46r, xrefs: 0BCE309D
GQ[, xrefs: 0BCE3190

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: GQ[$b46r
API String ID: 0-3196810998
Opcode ID: 506eb2feb141cc934c2ababe6379d51b41ffe171e3545c481baf23aefc19ef40
Instruction ID: 1f87a84a606716fa2c4f3d883923075dee3c3dc3e1be4d3ffda3d296e8a08a8e
Opcode Fuzzy Hash: 506eb2feb141cc934c2ababe6379d51b41ffe171e3545c481baf23aefc19ef40
Instruction Fuzzy Hash: ED91F575E15249CFCB05CFEAD5855AEBBF2EF89700F20942AD425BB314E734AA028F54

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE511C, Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

8T, xrefs: 0BCE52FF
8T, xrefs: 0BCE52F8

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: 8T$8T
API String ID: 0-3743047583
Opcode ID: c63ae783e8cd453e593d3e43ca0b54e20b96ee880bf075f76e3bcfa9d15d4be6
Instruction ID: 41ce70f8e66a816770a25ab00c7235de8f2fc97e0ab86d246f67e4523bcd6fb8
Opcode Fuzzy Hash: c63ae783e8cd453e593d3e43ca0b54e20b96ee880bf075f76e3bcfa9d15d4be6
Instruction Fuzzy Hash: 02616B70D29208DFCB14CFE6D5845AEFBB2FB99314F10A519E026BB204E7349942CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE18E8, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

Zl_O, xrefs: 0BCE1A5A

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: Zl_O
API String ID: 0-528031492
Opcode ID: e98b8c84dc9e806036f8a91a8ca30ce3a9a113c2e4ebe7edde7ed655b1f9799d
Instruction ID: ca65481cd1426ff0224d722ceb962c6ce5ecefc40ed370a828db7ebb450b2034
Opcode Fuzzy Hash: e98b8c84dc9e806036f8a91a8ca30ce3a9a113c2e4ebe7edde7ed655b1f9799d
Instruction Fuzzy Hash: D1416A74E15208DBCB08CFA5D9456EEBBF2FF8D200F14942AE426B7314DB3499118B24

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE18F8, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

Zl_O, xrefs: 0BCE1A5A

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: Zl_O
API String ID: 0-528031492
Opcode ID: 7edde2823a0eb3ec547694b6a99e4e03f160ccf67745e53bd9f22dacd1680de1
Instruction ID: e12b3edf474b39cf29a57042d0764a8bf5099f8c225683d295272ec6ccbb906b
Opcode Fuzzy Hash: 7edde2823a0eb3ec547694b6a99e4e03f160ccf67745e53bd9f22dacd1680de1
Instruction Fuzzy Hash: A1415B70E26218DBCB08CFA6D9456EEBBF2FFCD600F149429E426B7214DB3499118B64

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE1FA8, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a89b00d2b08a996b2852df7477768ebbcdadd7d7a07835e10e4d9baa54c735
Instruction ID: f9aa083ffcdf5a9fec0ad11c5d85865dbd42be3cf4039ce4a9aea6b9f5a18e9b
Opcode Fuzzy Hash: 97a89b00d2b08a996b2852df7477768ebbcdadd7d7a07835e10e4d9baa54c735
Instruction Fuzzy Hash: A0D12874E11208DFDB04CFA5D985B9DFBB6FB89700F209429E41ABB394DB75A901CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE1FB8, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ae26e18213cd285da7ad00a2f32d1fd37505684f0a38ab3eb0929910fbfa40
Instruction ID: a9d8117b15fe861988d34230aad53333e57a931fcfc2da90db08f6bc010b4ce6
Opcode Fuzzy Hash: 43ae26e18213cd285da7ad00a2f32d1fd37505684f0a38ab3eb0929910fbfa40
Instruction Fuzzy Hash: 10D11774E16208DFDB04CFA5D941B9DFBB6FB89700F209429E41ABB394DB74A901CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE25C0, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b815d6ab7d7b71fa95cb30e772d73b2d5b2a6d6b2f5238d830f382262aaf710
Instruction ID: 8f58fc9d41bf3da75c24fe52976521b48830ba3a368d2377a2e53e18b11b07d6
Opcode Fuzzy Hash: 7b815d6ab7d7b71fa95cb30e772d73b2d5b2a6d6b2f5238d830f382262aaf710
Instruction Fuzzy Hash: E7810674E11218DFDB08DFE5D8556AEBBB6FF89300F20856AE41AAB354DB349902CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE25D0, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dea794f3f560a160ba00fced4ce8e8feb7d6d2b98b29022a267b7804545cc6
Instruction ID: 525261c686766fa7e501582b951210a7fbb1f50b029f6c118bf48faa8975bff8
Opcode Fuzzy Hash: 25dea794f3f560a160ba00fced4ce8e8feb7d6d2b98b29022a267b7804545cc6
Instruction Fuzzy Hash: B7810574E11218DFDB08DFE5D8555AEBBB6FF89300F20856AE42AAB354DB349902CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE1578, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85be59bb12d3395872df1bc751bda1a71d8c59a355b0ae2c88e1d8cd02744a7a
Instruction ID: 59ad535179c9792b67b8bcdc8a7d3e3afa3ff9679680344e7e7270145026b241
Opcode Fuzzy Hash: 85be59bb12d3395872df1bc751bda1a71d8c59a355b0ae2c88e1d8cd02744a7a
Instruction Fuzzy Hash: 79319E30E25118DFCF08CFA5D9445EDBBF6EB8D300F18952AD016B7354D73499118B28

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE1588, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b644fac0f5d2fcf378e730edefc31b670d3befff35b82a61eedbf4e456557094
Instruction ID: 223bf132b6a01ec06c69579dbadd348d17f7c9f3611070689e25c7e58cfecc35
Opcode Fuzzy Hash: b644fac0f5d2fcf378e730edefc31b670d3befff35b82a61eedbf4e456557094
Instruction Fuzzy Hash: 04317E70E25118DFCB08CFAAD9445EDBBF6EB8D300F18A52AD426B7354DB3499118B28

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE62C8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa63a46a46b48df68f3f7a2fb74729344d1dfb35eba8baff775455bcc3bdc39
Instruction ID: f0c4d7781b4fc06af9d11329850fe0753ad12be4a98cd7c5e0775ca69e8a1576
Opcode Fuzzy Hash: 8aa63a46a46b48df68f3f7a2fb74729344d1dfb35eba8baff775455bcc3bdc39
Instruction Fuzzy Hash: BD117C71C25258CBCB148FA5D809BEEBBF0BB0E325F149579E461B3280C7788A44CB79

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE62D8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd4648ecd18587f77b6608ff25496bc752de8f38a4ba51d8b3e0f0fd45df04a
Instruction ID: ad2e4ae13ad22ab92303512e4174e1cacfa915e0e3c349b029883e4e878a31a4
Opcode Fuzzy Hash: 9cd4648ecd18587f77b6608ff25496bc752de8f38a4ba51d8b3e0f0fd45df04a
Instruction Fuzzy Hash: 53112730D25258CBDB14CFA6C418BEEBAF1BB4E325F14907AD425B3290C7788A44CB79

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE638C, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68b5029e1049465d35a1c65660752b629f0743f66e5ff66cbdb434f07250bc8
Instruction ID: 858d3211fc4c5bcbc6381291ba234b2888dfc5d97b1b35f0ecbba3e9ed8df54b
Opcode Fuzzy Hash: e68b5029e1049465d35a1c65660752b629f0743f66e5ff66cbdb434f07250bc8
Instruction Fuzzy Hash: 07E068A28BD295CBC3008FE08C585BAFF70FB27241F1450AAD071F3192C7688101D771

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE0380, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0BCE05BE

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6d06b379059f708aafd5738bccd6c861de42198290e5be70bae6922931e9d204
Instruction ID: f57d005a14da2efa83354b36aed9c5edb58403e260bdd348da0fd39f796b4b1d
Opcode Fuzzy Hash: 6d06b379059f708aafd5738bccd6c861de42198290e5be70bae6922931e9d204
Instruction Fuzzy Hash: 0A915E71D11219CFDF10CFA4C9827EEBBB2BF44314F058569E869A7240DB749A85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE0388, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0BCE05BE

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ba7f2bef6a4346c22fdd3a654de2e6ecfac66ccd09c007bf878b6a79ccdb9666
Instruction ID: f0cd177d576f199ee6b0930c9827a00f6864c2dcf396c511040c6b0dad2d67dc
Opcode Fuzzy Hash: ba7f2bef6a4346c22fdd3a654de2e6ecfac66ccd09c007bf878b6a79ccdb9666
Instruction Fuzzy Hash: 1F915F71D11219CFDF10CFA4C9827EEBBB2BF44314F058569D869A7240DB749A85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE0006, Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0BCE00AE

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e2a0529eef78ee9765581ee88b82fe77f5b50590e21e3be04f554243082e6bab
Instruction ID: ec28d4a382753115a9dc1b68d081564ed9a67f6d4d73f49bf2054e381fe71403
Opcode Fuzzy Hash: e2a0529eef78ee9765581ee88b82fe77f5b50590e21e3be04f554243082e6bab
Instruction Fuzzy Hash: A021BC718083898FCB11CFA5C891BDEBFF1EF4A328F14885AD555AB251C779A805CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE00F8, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0BCE0190

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0f097e3e9d10eddbdfda4ae86841e0b890dc67632b113c1fdb4eae0aa673271e
Instruction ID: 582b4af0e042edc3db20fbe0654f3ba5d5bd63fdac52dfff59640b50f1c17b05
Opcode Fuzzy Hash: 0f097e3e9d10eddbdfda4ae86841e0b890dc67632b113c1fdb4eae0aa673271e
Instruction Fuzzy Hash: 0F2157B19003499FCF10CFA9C885BEEBBF5FF48314F048829E919A7240C778A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE0100, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0BCE0190

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7a014464985cbe6421194774ea12fb7e9cce86ad13fda4cb652b02ac2d0a0367
Instruction ID: 8215f324db7718d5266279b2ca72762e407d2839bf442faae74d49b993cb33bc
Opcode Fuzzy Hash: 7a014464985cbe6421194774ea12fb7e9cce86ad13fda4cb652b02ac2d0a0367
Instruction Fuzzy Hash: 6D2125B19003599FCF10CFA9C885BEEBBF5FF48314F04882AE958A7240D7789954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE01E9, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0BCE0270

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 37049f098ba3de96634a4c6a8e8c507df49751504163c400ca3f6a0b08af3ab2
Instruction ID: 3994d749348ea891e1ee217c941bbaf883704000366f58e5262fc789a2d1bba4
Opcode Fuzzy Hash: 37049f098ba3de96634a4c6a8e8c507df49751504163c400ca3f6a0b08af3ab2
Instruction Fuzzy Hash: 582116B18003599FCF10CFAAC885BEEBBF5FF48314F548429E919A7240C7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE01F0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0BCE0270

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c0dae2bf7635da335671def24d6455d78732b4438f3d28f116cd118c94e9ccc6
Instruction ID: 0df4013c7984246ebfe5a1a3edc65b3b88415ac9104fd263eb232ba0c8f75a04
Opcode Fuzzy Hash: c0dae2bf7635da335671def24d6455d78732b4438f3d28f116cd118c94e9ccc6
Instruction Fuzzy Hash: 9A2116B18002599FCB10CFAAC885AEEBBF5FF48314F548429E518A7240C7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE0040, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0BCE00AE

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9d45cc78694d8b1b1bf02f782fe839f0811932dee42f0b0af74243b46fc6d07f
Instruction ID: 42488cf4dc5f93671d0eb9e5a999c56815d5178ec2c801ee92194e79fb8e2018
Opcode Fuzzy Hash: 9d45cc78694d8b1b1bf02f782fe839f0811932dee42f0b0af74243b46fc6d07f
Instruction Fuzzy Hash: C41137719002489FCF10CFAAC845BDFBBF5EF48324F148819E515A7250C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE4B68, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0BCE5725

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 12dfb92578e6d05e6741ff315cb014023b9b733d6d346061efd3151c2456da62
Instruction ID: 29a5186191636a64a1fe89c36b1ee7381080ef15822bbfe89c1a0776372b7917
Opcode Fuzzy Hash: 12dfb92578e6d05e6741ff315cb014023b9b733d6d346061efd3151c2456da62
Instruction Fuzzy Hash: 5A11F2B5810348DFCB10CF9AD989BDEBBF8EB58324F148459E528A7200C374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE56C0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0BCE5725

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6e84597e93ba545f1bc0bdd507c806cdbc7ff2e797809aacefd65230db988fc2
Instruction ID: 2918dbd7e8dbfe56665aa0ac55b4b3081808ba30120ca0230bcd656629460ad7
Opcode Fuzzy Hash: 6e84597e93ba545f1bc0bdd507c806cdbc7ff2e797809aacefd65230db988fc2
Instruction Fuzzy Hash: F311F2B5810249DFDB10CF9AD989BDEBBF8EB58328F148859E418B7200C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0178D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252364763.000000000178D000.00000040.00000001.sdmp, Offset: 0178D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a265790dc6d378693ad41a73037aa2d8fc923278cda4b69bb9eb971c140b3e77
Instruction ID: 79e7466a5546337cf7389900e104494a757545cc3a5d5bd182fe021dbe2c42fb
Opcode Fuzzy Hash: a265790dc6d378693ad41a73037aa2d8fc923278cda4b69bb9eb971c140b3e77
Instruction Fuzzy Hash: D42138B1584200DFDB25EF94D4C0B16FF61FB84328F3485A9E9094B246C376D805CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0179D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252404514.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe2a2e615ac284e7040892ee828f1eee2fd648e09f70829b411aeb2f48433c0
Instruction ID: 61bc19ac34400a679a67f196d08d58fff4bb3c0ae48316b6c31a1d1a6a99b520
Opcode Fuzzy Hash: bfe2a2e615ac284e7040892ee828f1eee2fd648e09f70829b411aeb2f48433c0
Instruction Fuzzy Hash: E52125B5504204DFDF25CFA8E4C4B16FB61FB88354F24C5A9E94A4B246C376D80ACA61

Uniqueness

Uniqueness Score: -1.00%

Function 0178D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252364763.000000000178D000.00000040.00000001.sdmp, Offset: 0178D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
Instruction ID: fc0412b00834bac317c5c4d012a7a1884a41943dffed316034c6639b541e4509
Opcode Fuzzy Hash: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
Instruction Fuzzy Hash: 3F11DFB6844280CFCB12DF44D5C4B16FF71FB84324F3882AAD8054B256C336D556CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0179D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252404514.000000000179D000.00000040.00000001.sdmp, Offset: 0179D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1c577071c2d0f69f9c0c2e3af2bcc6dc79f4eb61d5675d3e9761bf736dafb1
Instruction ID: ad56cbc9a2c803ff8bc2dc4a54492575f2dc2cc77b2e78f3ddd5c83f419fd823
Opcode Fuzzy Hash: ac1c577071c2d0f69f9c0c2e3af2bcc6dc79f4eb61d5675d3e9761bf736dafb1
Instruction Fuzzy Hash: 9D118E75504280DFDB22CF58E5D4B15FB61FB48314F28C6A9D8494B656C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0178D731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252364763.000000000178D000.00000040.00000001.sdmp, Offset: 0178D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7c96d23750334b6aa5022be8b66852fc8f5ccebd3a36581597ad942e67b2fe
Instruction ID: 13c66d404834ef62bfaee4c587708e80e82f3ce0c1bc52ffe4c2a6a119e3990c
Opcode Fuzzy Hash: 1d7c96d23750334b6aa5022be8b66852fc8f5ccebd3a36581597ad942e67b2fe
Instruction Fuzzy Hash: 5401A771448384AAE7207A66CDC4766FB98EF81724F18C55AEE045A2C2C3799844D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0178D730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252364763.000000000178D000.00000040.00000001.sdmp, Offset: 0178D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1edf8476694f43125d0b8b8839a6bd5844f46219df2962fabe50e4562b9a89e
Instruction ID: 325dd6dd3ba65fe66f1315207c671a8910eabdff5e4ca3db9d80d81aafdf5f15
Opcode Fuzzy Hash: d1edf8476694f43125d0b8b8839a6bd5844f46219df2962fabe50e4562b9a89e
Instruction Fuzzy Hash: B4F0F671404384AEE7209B1ACCC4B67FFE8EB81734F18C55AED085B282C3789844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0BCE3408, Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

Z=G, xrefs: 0BCE3593
P, xrefs: 0BCE46E0
Z=G, xrefs: 0BCE468D
Z=G, xrefs: 0BCE3492

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: Z=G$Z=G$Z=G$P
API String ID: 0-2054813298
Opcode ID: 76296b72c6697f344d365c1707e8acef32094f7aac8a4ca2858d22e3dfa9da55
Instruction ID: 7b7282d9aa8bb8779eb5252759b81859acaa1ccc73029fd14b175386bceca92c
Opcode Fuzzy Hash: 76296b72c6697f344d365c1707e8acef32094f7aac8a4ca2858d22e3dfa9da55
Instruction Fuzzy Hash: 06512B71D14669CBDB29CF66C8447AEFBB6BFC9301F14C1AAC41DA7214EB305A858F14

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE33F8, Relevance: 5.2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

Z=G, xrefs: 0BCE3593
P, xrefs: 0BCE46E0
Z=G, xrefs: 0BCE468D
Z=G, xrefs: 0BCE3492

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: Z=G$Z=G$Z=G$P
API String ID: 0-2054813298
Opcode ID: c06d0f080d47af09a6b26313b6b468a608835c4a939903b8e48cd222064121c3
Instruction ID: 0e99dfc034e47ec39e92a7c3be319f2a417ce418344df1bed56d3354a39f7206
Opcode Fuzzy Hash: c06d0f080d47af09a6b26313b6b468a608835c4a939903b8e48cd222064121c3
Instruction Fuzzy Hash: 08512871E1466ACBDB28CF66C84479EFBB6BFC9301F14C5AAC41DA7214EB305A858F14

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE35C1, Relevance: 5.1, Strings: 4, Instructions: 129COMMON

Download Yara Rule

Strings

Z=G, xrefs: 0BCE3593
P, xrefs: 0BCE46E0
Z=G, xrefs: 0BCE468D
Z=G, xrefs: 0BCE3492

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: Z=G$Z=G$Z=G$P
API String ID: 0-2054813298
Opcode ID: c8a41616f453a7236629c19deabf52a591455a388f76d358bc99c6c0df6a668e
Instruction ID: 960b1569982c4b31ed7fab1897c3d1e900f74e4a97ee16e42762e85632335e27
Opcode Fuzzy Hash: c8a41616f453a7236629c19deabf52a591455a388f76d358bc99c6c0df6a668e
Instruction Fuzzy Hash: 5F512574E1466ACBCB64CF66C844BDDFBB2BF89301F1085EAD419A7200EB309A858F14

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE3626, Relevance: 5.1, Strings: 4, Instructions: 121COMMON

Download Yara Rule

Strings

Z=G, xrefs: 0BCE3593
P, xrefs: 0BCE46E0
Z=G, xrefs: 0BCE468D
Z=G, xrefs: 0BCE3492

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID: Z=G$Z=G$Z=G$P
API String ID: 0-2054813298
Opcode ID: 15e6380e45a92cd9101131fd27e37ac17e3bd283369ff47a188af3de12e0d2d2
Instruction ID: 3c29678806af920358a76d159914c868b2dcec7e681991c9c9203787da99845e
Opcode Fuzzy Hash: 15e6380e45a92cd9101131fd27e37ac17e3bd283369ff47a188af3de12e0d2d2
Instruction Fuzzy Hash: BE5129B1D1466ACBDB24CF66C940BDDF7B6FB89301F1085EAC429A7200E7345AD58F24

Uniqueness

Uniqueness Score: -1.00%

Function 00F02E25, Relevance: 2.6, Instructions: 2646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251439775.0000000000F02000.00000002.00020000.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.251429004.0000000000F00000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9818b2ddb98142aa805eb33d62377772c7c6d037c8395c8425bf18698ccb93
Instruction ID: fd2f053997537290722bd3cfdbfe05283ec6000cb085a0810664549bc1262f2b
Opcode Fuzzy Hash: ba9818b2ddb98142aa805eb33d62377772c7c6d037c8395c8425bf18698ccb93
Instruction Fuzzy Hash: 9033466244F3C25FC7138B749CB5691BFB1AE5721471E09CBD4C0CF0A3E2196A6AE762

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE0710, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb901819e95bb49ef8b94752cb6410ae886cdff7c35825c22d727d463370d1b
Instruction ID: 7e450e8ffbb8502ce7ffbe39c9e39984a90508ea970280fb6dd70fba2ba677e9
Opcode Fuzzy Hash: 9fb901819e95bb49ef8b94752cb6410ae886cdff7c35825c22d727d463370d1b
Instruction Fuzzy Hash: 594145B0D1521ACBDB14CFD6D94539EFBB2BB88304F109069C419BB298E7B94A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0BCE0700, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259654623.000000000BCE0000.00000040.00000001.sdmp, Offset: 0BCE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22524789915e2b84e7b836aa428cc170797be8e210a74e8968d92e452595e13
Instruction ID: 50fa9d64d00bfcc3abf74b2e440558a30bcdacfd2b247d903ad51b2f8fa7c38c
Opcode Fuzzy Hash: f22524789915e2b84e7b836aa428cc170797be8e210a74e8968d92e452595e13
Instruction Fuzzy Hash: 9B4159B0D15219CBDB14CFD6C94679EFBF1BB88304F109069C415BB294D7B98A49CF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: W9YDH79i8G.exe PID: 6316 Parent PID: 5656 W9YDH79i8G.exeCOMMON

Executed Functions

Function 017011B0, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01701938

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4cf4cf147f6de31d9fc6a4938b6e8aa4617032343823590e4ac41d93573ec33a
Instruction ID: 7a89057f22149a8b5ed62ccdf6fc7f7ae4ed035adcf7dd3ec7e53895d44c9c51
Opcode Fuzzy Hash: 4cf4cf147f6de31d9fc6a4938b6e8aa4617032343823590e4ac41d93573ec33a
Instruction Fuzzy Hash: 1D62F871E007198FDB25EF78C95469DB7F2AF89300F5085AAD50AAB354EF30AA85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 014C5608, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.495371752.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63ee4993dc0308cd915ce407086dab878145ce112b1f937a9f4056a30cf5b01
Instruction ID: 62a1f4acf172849c1e00ec64d42bc610093e160023f1795975d0bcb8e8444cc5
Opcode Fuzzy Hash: f63ee4993dc0308cd915ce407086dab878145ce112b1f937a9f4056a30cf5b01
Instruction Fuzzy Hash: 2FF13C38A00209CFDB54DFA9C894B9EBBF1BF88714F15856AE409AF365DB74A845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01706948, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 01708C53

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: a07749336450ed1957f262825addd3ba9b7a47b1cb5bc8351a5ddc964ca7e040
Instruction ID: 4da6a134389e9b28993dfd7a132283816ba283e928d02c1ba062742246080935
Opcode Fuzzy Hash: a07749336450ed1957f262825addd3ba9b7a47b1cb5bc8351a5ddc964ca7e040
Instruction Fuzzy Hash: A92134B5D042489FCB10CF9AC844BEEFBF4FB88314F148869E419A7280CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01730A70, Relevance: 6.9, APIs: 4, Instructions: 911libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: d71cbfb4d9efba42470724879b2ebd93005b937bc549a850dd86a8905f5bce4e
Instruction ID: 5f9e0cbcc812eb7f00a90a5ccf7f9b30c26bcb98e176d04fb2dda635aed4972f
Opcode Fuzzy Hash: d71cbfb4d9efba42470724879b2ebd93005b937bc549a850dd86a8905f5bce4e
Instruction Fuzzy Hash: 96922874A14228CFCB64EF24D85879DBBB6BF88205F5080EAE50AA3354DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730A91, Relevance: 6.6, APIs: 4, Instructions: 584libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 0f4bd456ff895d9d9b0d35134a14c19471b6b00fdb09f0ce408e38df6822a28c
Instruction ID: 9a411bcd607b4cd219b54dd675bad77c617626aad32e36b0e451061bdcf919cd
Opcode Fuzzy Hash: 0f4bd456ff895d9d9b0d35134a14c19471b6b00fdb09f0ce408e38df6822a28c
Instruction Fuzzy Hash: 25520874A14228CFCB65DF24D85879DBBB6BF88209F5080EAE50EA3354DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730AD6, Relevance: 6.6, APIs: 4, Instructions: 577libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 13769cee966eceb029fd5dddc571fea56cb1b50a4f4f483ab935ec80575aa2d1
Instruction ID: 6bc8322556944ea7021f3c2f9b37dbac415e2d98c9969cde1b475275a0fda8a5
Opcode Fuzzy Hash: 13769cee966eceb029fd5dddc571fea56cb1b50a4f4f483ab935ec80575aa2d1
Instruction Fuzzy Hash: 3842F774A14228CFCB65DF24D85879DBBB6BF88209F5080EAE50EA3354DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730B1B, Relevance: 6.6, APIs: 4, Instructions: 570libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 1abf8fc47c23010f210d614ef66a6b25ac019959d2d003af11e2aebd8e265bcd
Instruction ID: 55c10b48bf7bce3795fe85611994ebe63b07ad631a26adb87bf5dcee1941b09e
Opcode Fuzzy Hash: 1abf8fc47c23010f210d614ef66a6b25ac019959d2d003af11e2aebd8e265bcd
Instruction Fuzzy Hash: AA42F874A14228CFCB65DF24D85879DBBB6BF88209F5080EAE50EA3354DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730B60, Relevance: 6.6, APIs: 4, Instructions: 563libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: a20e447208885b2f11315e162cf95eb26c2699335960191edbc19cc6ce281b38
Instruction ID: 56f3e0a75a8a10f8708755d7a65eadd13914d0915787c4a771e1484defb5b7a2
Opcode Fuzzy Hash: a20e447208885b2f11315e162cf95eb26c2699335960191edbc19cc6ce281b38
Instruction Fuzzy Hash: 5442F874A14228CFCB65DF24D85879DBBB6BF88209F5080EAE50EA3354DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730BA5, Relevance: 6.6, APIs: 4, Instructions: 556libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: fcdfe5d6c0bfc2d4b31e2dc32fa715633aefcf01d8861fe5454b4f2169bd1488
Instruction ID: a6c9cabbc63d832ef08039c8340c25ac70862ffe54c2d6418b0fce86e9d70288
Opcode Fuzzy Hash: fcdfe5d6c0bfc2d4b31e2dc32fa715633aefcf01d8861fe5454b4f2169bd1488
Instruction Fuzzy Hash: 2D42E874A14228CFCB65DF24D85879DBBB6BF88209F5080EAE50EA3354DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730BEA, Relevance: 6.5, APIs: 4, Instructions: 549libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: fe7b455c3f3d9911717ab62c0ee17b1a27da35b1ca29b28b7d318324f697a35c
Instruction ID: 771474d6139c4703283ae910c3f41d3e46d9317868909e077196e2d3fb564d1b
Opcode Fuzzy Hash: fe7b455c3f3d9911717ab62c0ee17b1a27da35b1ca29b28b7d318324f697a35c
Instruction Fuzzy Hash: 3842F874A14228CFCB65DF24D85879DBBB6BF88209F5080EAE50EA3354DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730C2F, Relevance: 6.5, APIs: 4, Instructions: 542libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 256a8fb2c846f4fa31ef6d9a7e7f9bd6dfd4c1c79e8726cbfb460eccedfdccf4
Instruction ID: b01ee3a6452924ab91fc5d7a4e221e8e75096eb3d17f2b62c802a35d27424421
Opcode Fuzzy Hash: 256a8fb2c846f4fa31ef6d9a7e7f9bd6dfd4c1c79e8726cbfb460eccedfdccf4
Instruction Fuzzy Hash: 7E420874A15228CFCB65DF24D85879DBBB6BF88209F5080EAE50EA3344DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730C74, Relevance: 6.5, APIs: 4, Instructions: 535libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: aee4352961ec35d7f4c9ac0c6b328c859ca29b9ed966dacb8e3afe4836a5230d
Instruction ID: 1561fb95f1d1b5498c01d1754b8628fde7d7e770e6fcb6bea26abe0a994df94c
Opcode Fuzzy Hash: aee4352961ec35d7f4c9ac0c6b328c859ca29b9ed966dacb8e3afe4836a5230d
Instruction Fuzzy Hash: 7342F874A14228CFCB65DF24D85879DBBB6BF88209F5080EAE50EA3354DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730CB9, Relevance: 6.5, APIs: 4, Instructions: 528libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 7d7a6512c198d5841816e8c0a110aeef2b4dad8464c81d2721200b4f329ee4be
Instruction ID: 0cea680dc53f4d028195442318ceb0ca734e6dcaa5ce17388ae26a5b647d0cab
Opcode Fuzzy Hash: 7d7a6512c198d5841816e8c0a110aeef2b4dad8464c81d2721200b4f329ee4be
Instruction Fuzzy Hash: 4132F874A14228CFCB65EF24D85879DBBB6BF88205F5080EAE50EA3344DB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730CFE, Relevance: 6.5, APIs: 4, Instructions: 521libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: d827dc67e3cab1288702aed84f0506092d9465163b8c6dea3625b29d58776632
Instruction ID: 86d27f42c1d7c4dd0daaf17626091015127f997b23bdca306fd2175cd0e957b1
Opcode Fuzzy Hash: d827dc67e3cab1288702aed84f0506092d9465163b8c6dea3625b29d58776632
Instruction Fuzzy Hash: 3032F874A14228CFCB65EF24D85879DB7B6BF88205F5080EAE50AA3344DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730D43, Relevance: 6.5, APIs: 4, Instructions: 514libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: df8b7e437d782cb0e9ff4f53a89d0c04e4d47a9e076422391a70862b24fc704c
Instruction ID: 00f8f6ca351d196f5b485bb38f834db93ede102a109bdbdba4a9827df91482e8
Opcode Fuzzy Hash: df8b7e437d782cb0e9ff4f53a89d0c04e4d47a9e076422391a70862b24fc704c
Instruction Fuzzy Hash: CA32F974A15228CFCB65EF24D85879DB7B6BF88205F5080EAE50AA3344DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730D88, Relevance: 6.5, APIs: 4, Instructions: 507libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: bab34704fcf26b1ac6084284600664a09e4741febd561cf99947f561dbe24cac
Instruction ID: b44067a57e776ca1aeee3d438772dd9bde3f97b008cade2d6a390f9ba0d9ada1
Opcode Fuzzy Hash: bab34704fcf26b1ac6084284600664a09e4741febd561cf99947f561dbe24cac
Instruction Fuzzy Hash: 3632F874A14228CFCB65EF24D85879DBBB6BF88205F5080EAE50AA3354DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730DCD, Relevance: 6.5, APIs: 4, Instructions: 500libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 68cfa41caf01b1db6e5fca6f47be0a0f826ed047a8c3af94d06838c39ec285d9
Instruction ID: 4b5b6183a7ceda84ea7c5d227ee11bb680e0e6fd3a3e5553c17861fde8eddbec
Opcode Fuzzy Hash: 68cfa41caf01b1db6e5fca6f47be0a0f826ed047a8c3af94d06838c39ec285d9
Instruction Fuzzy Hash: 6032F974A14229CFCB65EF24D85879DB7B6BF88205F5080EAD50AA3344DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730E12, Relevance: 6.5, APIs: 4, Instructions: 493libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 36fe20d7b4392d4d62d823cd8455c6f612857700bc6990ae90f24745a75fc389
Instruction ID: 1dd98eb3182bbad66cedf35429ff8ed05a5e2860b5ba239dab4a4e4019a6dccc
Opcode Fuzzy Hash: 36fe20d7b4392d4d62d823cd8455c6f612857700bc6990ae90f24745a75fc389
Instruction Fuzzy Hash: 2832F874A14228CFCB65EF24D85879DB7B6BF88209F5080EAD50AA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730E57, Relevance: 6.5, APIs: 4, Instructions: 486libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 3a8e5b54fba49682ca2e916355b6b1f126f286afb1f1ed141472c10d0e44a583
Instruction ID: 73cb89dd970874cdc3bc9358e1876dd2de5b2cebd3cf2aea8920816270b6462f
Opcode Fuzzy Hash: 3a8e5b54fba49682ca2e916355b6b1f126f286afb1f1ed141472c10d0e44a583
Instruction Fuzzy Hash: 5222F874A152288FCB65EF24D85879DB7B6BF88209F5080EAD50AA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730E9C, Relevance: 6.5, APIs: 4, Instructions: 479libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 1b4e606cc93334444aeea6dc97120902f5bbbd67f4774ae2ba076ee6a260ae49
Instruction ID: edb091f31f61356bf3ee79a3da6fc504166edfc22cc1361d7ad4ee522681c33f
Opcode Fuzzy Hash: 1b4e606cc93334444aeea6dc97120902f5bbbd67f4774ae2ba076ee6a260ae49
Instruction Fuzzy Hash: 1522F874A142298FCB65EF24D85879DB7B6BF88205F5080EAD50EA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730EF7, Relevance: 6.5, APIs: 4, Instructions: 468libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: a3bdcb33445b3b1081ca92f28a9dc5c9187cfd285939ebdc4b4efd12245a232c
Instruction ID: 4a749485d64c2ad47477e8939d39e30dfa3a5a75f9ace758e4aea4950dadd8fd
Opcode Fuzzy Hash: a3bdcb33445b3b1081ca92f28a9dc5c9187cfd285939ebdc4b4efd12245a232c
Instruction Fuzzy Hash: 09220874A152298FCB64EF34D85879DBBB6BF88205F5080EAD50AA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730F3C, Relevance: 6.5, APIs: 4, Instructions: 461libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 4068f4509e82a86cc71f1649dce974c98cb75a002da53a63bdc36a0698a9c573
Instruction ID: c6be46c33006cdcca16a2d7a6b637de626cf09599b819ff43b9e638e0ea73212
Opcode Fuzzy Hash: 4068f4509e82a86cc71f1649dce974c98cb75a002da53a63bdc36a0698a9c573
Instruction Fuzzy Hash: C922F774A152298FCB64EF34D85879DBBB6BF88205F5080EAD50AA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730F81, Relevance: 6.5, APIs: 4, Instructions: 454libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 7061db1d717ba313d66b043e47a812e64e91e4e57ec3133b75f5cab831f4594d
Instruction ID: 36ecd591b551aed7117130b80c2fc91a438736728fb03583a616575bf54c6672
Opcode Fuzzy Hash: 7061db1d717ba313d66b043e47a812e64e91e4e57ec3133b75f5cab831f4594d
Instruction Fuzzy Hash: 0522F774A152298FCB64EF34D85879DBBB6BF88205F5080EAD50AA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730FC6, Relevance: 6.4, APIs: 4, Instructions: 447libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 56ee301f3ce8d1a44ef0a28d1f877065e3081ad52ef0a8616a9a45a95cb49181
Instruction ID: 683656853688654748dc5b4bfd03359d333cd380f80b560d5046a6e67bc1d9d1
Opcode Fuzzy Hash: 56ee301f3ce8d1a44ef0a28d1f877065e3081ad52ef0a8616a9a45a95cb49181
Instruction Fuzzy Hash: 20120774A152298FCB64EF34D85879DBBB6BF88205F5080EAD50AA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0173100B, Relevance: 6.4, APIs: 4, Instructions: 440libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 1bab1e8a478ea69ad40fd426e00a37e12893caaea8cd436f6e714c4616d6b17d
Instruction ID: d35488b020896fda0d9d0cca7d36268a278dfd7e9b1090dc88530a9b3110b952
Opcode Fuzzy Hash: 1bab1e8a478ea69ad40fd426e00a37e12893caaea8cd436f6e714c4616d6b17d
Instruction Fuzzy Hash: B3120774A152298FCB64EF34D85879DBBB6BF88205F5080EAD50AA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01731050, Relevance: 6.4, APIs: 4, Instructions: 433libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173119F
KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 91bce9aa1b99aeb33bd80dbabc52ef059695a0f54645a6fedbe2611bd4b31e64
Instruction ID: 91d2a289ee02891d3186534ca40d1acd65b227ada9a90948726e55b858fba54c
Opcode Fuzzy Hash: 91bce9aa1b99aeb33bd80dbabc52ef059695a0f54645a6fedbe2611bd4b31e64
Instruction Fuzzy Hash: 11120774A152298FCB64EF34D85879DBBB6BF88205F5080EAD50AA3384DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017314E0, Relevance: 4.8, APIs: 3, Instructions: 265COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627
KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6c8670c0b651c08c7c2d234302cd7e2b52c08673cd0d1fbc876b64bb8596a786
Instruction ID: 28b512e4075098490fa1e6634f61e666c7dd0d585c1724259619ef8392c92bcb
Opcode Fuzzy Hash: 6c8670c0b651c08c7c2d234302cd7e2b52c08673cd0d1fbc876b64bb8596a786
Instruction Fuzzy Hash: D3C12BB4915228CFCB65DF24D85879DB7B6BF88209F5080EAD60EA3380DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01731528, Relevance: 4.8, APIs: 3, Instructions: 258COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0173154F
KiUserExceptionDispatcher.NTDLL ref: 01731627
KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2170912c2e92ca036f2137ffb9882f55117025c553911c91d065976a3f8898b4
Instruction ID: 50ff3e91c510f26159cc44529aa810004fbb24acd8020cc6dd1d0a69ec7ef853
Opcode Fuzzy Hash: 2170912c2e92ca036f2137ffb9882f55117025c553911c91d065976a3f8898b4
Instruction Fuzzy Hash: 2AC13BB4915228CFCB65DF24C85879DBBB6BF88209F5040EAD60EA3390DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01731570, Relevance: 3.3, APIs: 2, Instructions: 251COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731627
KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a798751200ce818d32c90fc7b63ddda726e5b504afdee63dac80b5d843dc8c1e
Instruction ID: c4f2911e6d94075d1660de1a2adb1745d87b11d83bbb17af1354b4fa18d04354
Opcode Fuzzy Hash: a798751200ce818d32c90fc7b63ddda726e5b504afdee63dac80b5d843dc8c1e
Instruction Fuzzy Hash: 10B14DB4911229CFCB65EF24C85879DB7B6BF88209F5040EAD60EA3380DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017315B8, Relevance: 3.2, APIs: 2, Instructions: 244COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731627
KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b8a88cb27ef91039a125b39d4c273b55f9f309713c702effe3869180ec976093
Instruction ID: 9ab7ac2d38880f1ab571f2c84493b65edf782ecf6e18cd5b3f6794f1630ce2ac
Opcode Fuzzy Hash: b8a88cb27ef91039a125b39d4c273b55f9f309713c702effe3869180ec976093
Instruction Fuzzy Hash: F0B13CB4A15228CFCB65DF24C85879DB7B6BF88209F5040EAD60EA3380DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01731600, Relevance: 3.2, APIs: 2, Instructions: 237COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731627
KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b446c5ea4d084bf5f905acfdad6b3753473f798e9001470dee20c423044e3ac9
Instruction ID: 80473010aec4c44e6ed189d038d3a05fd854b495d5924de17abe130891c7633f
Opcode Fuzzy Hash: b446c5ea4d084bf5f905acfdad6b3753473f798e9001470dee20c423044e3ac9
Instruction Fuzzy Hash: BAB13DB4A11228CFCB64DF24C85879DB7B6BF88209F5040EAD60EA3380DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0173165E, Relevance: 1.7, APIs: 1, Instructions: 226COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 42177635b60dd8937611f78069b66df790782261af7a777a0491b5d95cef4e7a
Instruction ID: 8ab335e323cac6bf16b5f69bcf03e5041362e80bc3e7fe578106d11a8e72e016
Opcode Fuzzy Hash: 42177635b60dd8937611f78069b66df790782261af7a777a0491b5d95cef4e7a
Instruction Fuzzy Hash: A7A13DB4A11228CFCB64DF24C85879DB7B6BF88209F5040EAD60EA3391DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017316A6, Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 840f58dabd0c14789c064b1499375c6c4626bea6fe425309c2a488c010382a6d
Instruction ID: 14962cbac36c33600492c84f02dc083019ff3b75ad8ecf7e82c2b75c44285853
Opcode Fuzzy Hash: 840f58dabd0c14789c064b1499375c6c4626bea6fe425309c2a488c010382a6d
Instruction Fuzzy Hash: 01A14EB4A11229CFCB64EF24C85879DB7B6BF88209F5040E9D60EA3381DB358E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017316EE, Relevance: 1.7, APIs: 1, Instructions: 212COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d03ad766cd8b478e44bb6f7685ca21fedecd834954287250e4354e8402807ad2
Instruction ID: 4aa7e4f8e27e523c9a008b77026946e71bb99fc13a0595a45f6d99dbcdd87111
Opcode Fuzzy Hash: d03ad766cd8b478e44bb6f7685ca21fedecd834954287250e4354e8402807ad2
Instruction Fuzzy Hash: 1B913EB4A11229CFCB64DF24C85879DB7B6BF88209F5040E9D60EA3385DB358E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01731736, Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c4f138eb20a22df09fe5427c700da3e9fd995cf398edda1cc8dc62305e3a9044
Instruction ID: 3536fe08c3931894fcf16f69dca68965a307c02a933efc49dd4aaa9e87343a38
Opcode Fuzzy Hash: c4f138eb20a22df09fe5427c700da3e9fd995cf398edda1cc8dc62305e3a9044
Instruction Fuzzy Hash: 60913FB4A11229CFCB64DF24C85879DB7B6BF88209F5080E9D60EA3385DB358E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0173177E, Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a25074c947cbefb40d60834b0547390e817b528733148461752faf8d8fd2fc40
Instruction ID: a9eec5c1514ce654699ebe98b5dd4bcd11b596bdaf6a6fa93ac76676a5940c53
Opcode Fuzzy Hash: a25074c947cbefb40d60834b0547390e817b528733148461752faf8d8fd2fc40
Instruction Fuzzy Hash: 5D813FB4A11229CFCB64DF24C85879DB7B6BF88209F5080E9D60AA3385DF358E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017317C6, Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0b334c8bff789bf3809f7ea55d321d1b07f66d2ed4d0e32b6cd9b617d3ba86a7
Instruction ID: 4fb1f433c1ee700e717ce81710b620243507144053a292a0de0ef25d17c99809
Opcode Fuzzy Hash: 0b334c8bff789bf3809f7ea55d321d1b07f66d2ed4d0e32b6cd9b617d3ba86a7
Instruction Fuzzy Hash: 438140B4A11229CFCB64EF24C85879DB7B6BF88209F5040E9D60EA3385DB358E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0173180E, Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f098266d6b8b95ebc6e70357b9f9f41543bae4d81231e97a3e57b92434ed0aea
Instruction ID: c1241c5cb6800630efbddd660d17789e4a36ac0922d911c4c96d7dddf1203c29
Opcode Fuzzy Hash: f098266d6b8b95ebc6e70357b9f9f41543bae4d81231e97a3e57b92434ed0aea
Instruction Fuzzy Hash: 357152B4A112298FDB64EF24C85879DB7B6BF84209F4040E9D60AA3385DF358E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01705348, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01705389

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7eefd9d40f1bf267941eeeeb5355642f59eb91ace7c6731018b1d78239533660
Instruction ID: d1a6affd93844bae3216eb24729f6036192ccefe925e961d64bdb7e50d144d56
Opcode Fuzzy Hash: 7eefd9d40f1bf267941eeeeb5355642f59eb91ace7c6731018b1d78239533660
Instruction Fuzzy Hash: 57612730A00319DFDB15EBB8D458BAEBBF2AF84215F208829E512E7394DF399945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01731856, Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3267fdfa74d8dea7db71f3e9d948ee65c99666cfc3dca3b86f3b31af80b95bc4
Instruction ID: fe6118aef93c15df197d46b75b074cb763c849531d919d39464619fd337a3e81
Opcode Fuzzy Hash: 3267fdfa74d8dea7db71f3e9d948ee65c99666cfc3dca3b86f3b31af80b95bc4
Instruction Fuzzy Hash: C07142B4A112288FDB64EF24C85879DB7B6BF88209F5080E9D60EA3385DF358D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0173189E, Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4b91ee6bc5a9c3e974791a7da37bf2240128bbfd1ca2041eec31d26eb5727e44
Instruction ID: 77f6156c35e37f5fdccc9f6e05b30cb7188255da291e15e2ef1901a49462beae
Opcode Fuzzy Hash: 4b91ee6bc5a9c3e974791a7da37bf2240128bbfd1ca2041eec31d26eb5727e44
Instruction Fuzzy Hash: 256142B4A112288FDBA4EF24C85879DB7B6BF88205F5080E9D60EA3385DF358D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017318E6, Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 253647f6f1f91f7a56a15410dbf46d63bc3c271ea35c256b53b610d9394101a4
Instruction ID: 21d4a4b381ea2b38f1306b2e132141b40786dd069119e7cf2adc4133ced8a69e
Opcode Fuzzy Hash: 253647f6f1f91f7a56a15410dbf46d63bc3c271ea35c256b53b610d9394101a4
Instruction Fuzzy Hash: 896153B4A112298FDBA4EF24C85879DB7B6BF88205F4080E9D60EA3385DF358D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0173192E, Relevance: 1.7, APIs: 1, Instructions: 156COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731955

Memory Dump Source

Source File: 00000007.00000002.496709738.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3226b0262223dd8ffb28e3e00bf9ef8b220cace0eeebf4b0e64ec30e5b222628
Instruction ID: 06adfee14365d9b48b79de5dcfafc6f1898cfecff05efe3ab8b222cd28cff2a2
Opcode Fuzzy Hash: 3226b0262223dd8ffb28e3e00bf9ef8b220cace0eeebf4b0e64ec30e5b222628
Instruction Fuzzy Hash: A45163B4A112288FDBA4EF24C85879DB7B6BF88205F4080E9D609E3385DF358D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01702DB8, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702E17

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 81a47726c86af8b50f3617408812783b2f865814f652fb0b708fbfd05212b83c
Instruction ID: b79cd385f461df9a28e023f3d736542c35404b3925a5f59364f7c0d7b24e82d8
Opcode Fuzzy Hash: 81a47726c86af8b50f3617408812783b2f865814f652fb0b708fbfd05212b83c
Instruction Fuzzy Hash: 2A516135A003059FCB14EBB4D888AEEB7F6BF84214F14856DE5069B395EF34E8458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01707DF8, Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01707F47

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ea134b756931d669dc63a9a4456050ad3306754934522300c044bf01438beeb2
Instruction ID: 945dd7aacc406904216e492074b99c7c0a79b9f802c248d9a9e54d72e77eb079
Opcode Fuzzy Hash: ea134b756931d669dc63a9a4456050ad3306754934522300c044bf01438beeb2
Instruction Fuzzy Hash: BA414671E083998FCB05CB75C8546DAFFF5AF89210F0985AAD144A7281DB78A885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01702DB1, Relevance: 1.6, APIs: 1, Instructions: 138libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702E17

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7cd91b26de866c8e6dfeb2b6a916b8152e7b2f1852d95add64fd526cc70956f5
Instruction ID: 07425ac653cf93aedd250f24da7a5f76049f4845146ca1591d246332328812d0
Opcode Fuzzy Hash: 7cd91b26de866c8e6dfeb2b6a916b8152e7b2f1852d95add64fd526cc70956f5
Instruction Fuzzy Hash: 1E417471A00305DFCB15EFB4D888AEEB7F6BF84214F148569E5029B395EF34E8458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FEA68, Relevance: 1.6, APIs: 1, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 016FEB81

Memory Dump Source

Source File: 00000007.00000002.496504543.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f0d3ef7127851db105474a1e1b4525cd59d7d7e0126e0856ee37be6f5cdc851b
Instruction ID: 85b52b03e93fb8a0ab61dbef4cb8560c597a2d62cb240ac7d8665c7960c34341
Opcode Fuzzy Hash: f0d3ef7127851db105474a1e1b4525cd59d7d7e0126e0856ee37be6f5cdc851b
Instruction Fuzzy Hash: E54122B1E043599FDB10CFA9C884A9EBFF5BB48304F16802EE919AB350D7759845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FDF20, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 016FEB81

Memory Dump Source

Source File: 00000007.00000002.496504543.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: de8bfecebccad8e0d9cba4314799e7e7bb90ac6b7f1b103745591ccbd5c94709
Instruction ID: 8c47da4bf341ceb03da0e4c1e78d151eed3c6004ee612a1c951afa69c58c3751
Opcode Fuzzy Hash: de8bfecebccad8e0d9cba4314799e7e7bb90ac6b7f1b103745591ccbd5c94709
Instruction Fuzzy Hash: 6C31EDB1D0025C9FCB20CF9AC984A9EBFF5BF48310F55812AE91AAB314C7759945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FDF1F, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 016FEB81

Memory Dump Source

Source File: 00000007.00000002.496504543.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9853e3438607ac1eebf778f6a3a8dd06ed7feb764eba8abd2a53667f062bfaa6
Instruction ID: 426fce9d5f1c74d49e7e3b0a76a7f29904caa6b908d18dff27150e44db191993
Opcode Fuzzy Hash: 9853e3438607ac1eebf778f6a3a8dd06ed7feb764eba8abd2a53667f062bfaa6
Instruction Fuzzy Hash: 5831FEB1D002589FCB20CF9AC984A9EBFF5BB48310F55812AE91AAB310C7759905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FDF14, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 016FE8C4

Memory Dump Source

Source File: 00000007.00000002.496504543.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 190c017d0afe3d6f5f500f934cd6e386681371a462e5a2c18269a873987f30de
Instruction ID: d095253063a0a95bd913a5cfbe29fdc6ec35859514b9cd2d74f68b71e87f374d
Opcode Fuzzy Hash: 190c017d0afe3d6f5f500f934cd6e386681371a462e5a2c18269a873987f30de
Instruction Fuzzy Hash: DB31E2B0D042489FDB10CF99C984A8EFFF5BB49304F6A816EE509AB351C7769945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016FE806, Relevance: 1.6, APIs: 1, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 016FE8C4

Memory Dump Source

Source File: 00000007.00000002.496504543.00000000016F0000.00000040.00000001.sdmp, Offset: 016F0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bec02ee965b326d1f43048fe43e0b6debb0dff8a423b6e7db69c4e9a76ab70f8
Instruction ID: 3415fa239a3e691b0b7d0f3de29f3b84497ae2b8b2b0561d7637c13d198de17c
Opcode Fuzzy Hash: bec02ee965b326d1f43048fe43e0b6debb0dff8a423b6e7db69c4e9a76ab70f8
Instruction Fuzzy Hash: 5731FDB0D002498FDB10CF99C584A8EFFF5BB49314F2A816AE509AB310C7769985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014C1A98, Relevance: 1.6, APIs: 1, Instructions: 61libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,014C1A79,00000800), ref: 014C1B0A

Memory Dump Source

Source File: 00000007.00000002.495371752.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af599a851009f8af2fa3e863dcd4c0c1f7e094a2e1fd0f5f8b2e3186b8ada182
Instruction ID: fd917c4840d3238ffb0a5abca75c78efa4b42142d3834a9f1581171482033469
Opcode Fuzzy Hash: af599a851009f8af2fa3e863dcd4c0c1f7e094a2e1fd0f5f8b2e3186b8ada182
Instruction Fuzzy Hash: 952177B98043898FCB10CFAAC884BDEBFF4AB49B20F04846EE515A7251C375A444CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01708BD1, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 01708C53

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0827a9e0261eab4743353d6763f3bc2ee8573fb6eecc8de11daf263209280e10
Instruction ID: a1e5ebeeb6183234b6e15247a074a58d2a14f144097376b3ff2b3d7714056c3b
Opcode Fuzzy Hash: 0827a9e0261eab4743353d6763f3bc2ee8573fb6eecc8de11daf263209280e10
Instruction Fuzzy Hash: C12135B5D002089FCB14CF9AC844BEFFBF5BB88324F14842AE419A7290C775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014C080C, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,014C1A79,00000800), ref: 014C1B0A

Memory Dump Source

Source File: 00000007.00000002.495371752.00000000014C0000.00000040.00000001.sdmp, Offset: 014C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 78f00a95f895ceafe9a00e4b8e76af0a60141e0a1d6f730d593cca6827d42e14
Instruction ID: e5b354860be11a72c1f6b20ae3b06aacd108e6080deff1e6ab3d16015acac1c9
Opcode Fuzzy Hash: 78f00a95f895ceafe9a00e4b8e76af0a60141e0a1d6f730d593cca6827d42e14
Instruction Fuzzy Hash: 541100B6D002488FDB10CF9AC488B9EFBF4EB88724F54846EE515A7210D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0170533F, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01705389

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: be51a07cfae6b00a2bdfd639bf946bbfeb6f74b92f911087a22fae2d02c07520
Instruction ID: fb1c293ca5e2b914baf218eafa1d1efa5345c7a8fe7ffde944173ee99105a894
Opcode Fuzzy Hash: be51a07cfae6b00a2bdfd639bf946bbfeb6f74b92f911087a22fae2d02c07520
Instruction Fuzzy Hash: C0111770A00308DFDB15DFA8D59879DFBB2FF48305F248928D401A7295DB36A989CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01707EE0, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01707F47

Memory Dump Source

Source File: 00000007.00000002.496564235.0000000001700000.00000040.00000001.sdmp, Offset: 01700000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 09b541d302c4274aaa3659ab1287b1b35b9f51d4fe67ffc8261f8ba1e5d2a5c1
Instruction ID: d4203f1e26f555d96f8fb9176bca95a37a87fed57dfb174dbb2576f0995d5887
Opcode Fuzzy Hash: 09b541d302c4274aaa3659ab1287b1b35b9f51d4fe67ffc8261f8ba1e5d2a5c1
Instruction Fuzzy Hash: 4B1120B1C0066A9BCB10CF9AC444BDEFBF4BF48224F15816AE918B7240D378A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 017CD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.497016382.00000000017CD000.00000040.00000001.sdmp, Offset: 017CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5edba1bf600e6433b3555c67b9c1d11c734d0a9f1b9990572b45c54c80b225
Instruction ID: adf1b8f309c56e1228d6c4b61088322d07767133c83d7d564a274f530239825c
Opcode Fuzzy Hash: db5edba1bf600e6433b3555c67b9c1d11c734d0a9f1b9990572b45c54c80b225
Instruction Fuzzy Hash: D42137B5504204DFCB25CF68D4C4B16FBA1FB88754F24C5BDE94A4B246C376D887CAA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report W9YDH79i8G.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre