Play interactive tour

Edit tour

Analysis Report PO.#4500499953.exe

Overview

General Information

Sample Name:	PO.#4500499953.exe
Analysis ID:	412549
MD5:	3b920d971cef2b8e6ff4bb93f42c32da
SHA1:	86d3cd18267a89809c94c5c6b4b880b6d4794a8a
SHA256:	328426769c5f5c7565f97853d192f418a16d4bbb9fe6f67584c7aab17fc79eff
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

PO.#4500499953.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\PO.#4500499953.exe' MD5: 3B920D971CEF2B8E6FF4BB93F42C32DA)

RegSvcs.exe (PID: 7096 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

NXLun.exe (PID: 6248 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 4684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

NXLun.exe (PID: 6388 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "rasha.adel@wasstech.comSunray2700@@wasstech.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.659524646.0000000003729000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.659524646.0000000003729000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO.#4500499953.exe PID: 7012	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO.#4500499953.exe PID: 7012	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7096	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.PO.#4500499953.exe.3842ad8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO.#4500499953.exe.3842ad8.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO.#4500499953.exe.3842ad8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO.#4500499953.exe.3842ad8.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO.#4500499953.exe.274b38c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO.#4500499953.exe' , ParentImage: C:\Users\user\Desktop\PO.#4500499953.exe, ParentProcessId: 7012, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7096

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "rasha.adel@wasstech.comSunray2700@@wasstech.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: PO.#4500499953.exe	Virustotal: Detection: 31%			Perma Link
Source: PO.#4500499953.exe	ReversingLabs: Detection: 40%

Machine Learning detection for sample

Show sources

Source: PO.#4500499953.exe

Joe Sandbox ML: detected

Source: 1.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: PO.#4500499953.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: PO.#4500499953.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000001.00000003.870801440.0000000005BCB000.00000004.00000001.sdmp, NXLun.exe, 0000000C.00000002.734440753.0000000000B02000.00000002.00020000.sdmp, NXLun.exe, 00000011.00000000.749964689.0000000000DE2000.00000002.00020000.sdmp, NXLun.exe.1.dr
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000C.00000002.735168937.0000000002D50000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.1.dr

Source: global traffic

TCP traffic: 192.168.2.4:49770 -> 204.93.196.181:587

Source: Joe Sandbox View

IP Address: 204.93.196.181 204.93.196.181

Source: Joe Sandbox View

ASN Name: SERVERCENTRALUS SERVERCENTRALUS

Source: global traffic

TCP traffic: 192.168.2.4:49770 -> 204.93.196.181:587

Source: unknown

DNS traffic detected: queries for: wasstech.com

Source: RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: PO.#4500499953.exe, 00000000.00000002.658913936.0000000002721000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	String found in binary or memory: http://swoEaw.com
Source: RegSvcs.exe, 00000001.00000002.917142846.0000000002C67000.00000004.00000001.sdmp	String found in binary or memory: http://wasstech.com
Source: RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: RegSvcs.exe, 00000001.00000002.917213367.0000000002C8B000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917230712.0000000002C93000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	String found in binary or memory: https://wZhClIFSimrbT.com
Source: PO.#4500499953.exe, 00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: PO.#4500499953.exe, 00000000.00000002.658374954.0000000000AEA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 1.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBD20A67Fu002dA5ADu002d402Eu002d9408u002dFBAA51546B1Au007d/u0036AF64711u002dA5B2u002d4427u002dB900u002d09E5D0E0F1FF.cs

Large array initialization: .cctor: array initializer size 11946

Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_00362538	0_2_00362538
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_00362D8B	0_2_00362D8B
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_026EF640	0_2_026EF640
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_026EC428	0_2_026EC428
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_026EC427	0_2_026EC427
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_026E98F8	0_2_026E98F8
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CD6FE0	0_2_04CD6FE0
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CD7360	0_2_04CD7360
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CDF8CC	0_2_04CDF8CC
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CD84B0	0_2_04CD84B0
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CD8551	0_2_04CD8551
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CD87D8	0_2_04CD87D8
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CDD608	0_2_04CDD608
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CDD618	0_2_04CDD618
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CD73FD	0_2_04CD73FD
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CD73B8	0_2_04CD73B8
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_04CD78FF	0_2_04CD78FF
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_00369A7A	0_2_00369A7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D30073	1_2_00D30073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D38970	1_2_00D38970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D31B00	1_2_00D31B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D32248	1_2_00D32248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D32348	1_2_00D32348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00D34CE8	1_2_00D34CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00E2DAE8	1_2_00E2DAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_028747A0	1_2_028747A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_028746B0	1_2_028746B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D05690	1_2_05D05690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_05D0A208	1_2_05D0A208

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: PO.#4500499953.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: PO.#4500499953.exe, 00000000.00000002.658374954.0000000000AEA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO.#4500499953.exe
Source: PO.#4500499953.exe, 00000000.00000000.648914946.000000000040C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIResourceReader.exeP vs PO.#4500499953.exe
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs PO.#4500499953.exe
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKqaIqxJaIPlNgejCEysBh.exe4 vs PO.#4500499953.exe
Source: PO.#4500499953.exe, 00000000.00000002.663130658.0000000005AA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs PO.#4500499953.exe
Source: PO.#4500499953.exe	Binary or memory string: OriginalFilenameIResourceReader.exeP vs PO.#4500499953.exe

Source: PO.#4500499953.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: PO.#4500499953.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1

Source: C:\Users\user\Desktop\PO.#4500499953.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.#4500499953.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_01
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZeuIaeOZFgvpHy

Source: PO.#4500499953.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.#4500499953.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO.#4500499953.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: PO.#4500499953.exe	Virustotal: Detection: 31%
Source: PO.#4500499953.exe	ReversingLabs: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\PO.#4500499953.exe 'C:\Users\user\Desktop\PO.#4500499953.exe'
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO.#4500499953.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO.#4500499953.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO.#4500499953.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000001.00000003.870801440.0000000005BCB000.00000004.00000001.sdmp, NXLun.exe, 0000000C.00000002.734440753.0000000000B02000.00000002.00020000.sdmp, NXLun.exe, 00000011.00000000.749964689.0000000000DE2000.00000002.00020000.sdmp, NXLun.exe.1.dr
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000C.00000002.735168937.0000000002D50000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.1.dr

Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0037043E push ebx; retf	0_2_0037043F
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036B83D push ebx; retf	0_2_0036B83E
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C239 push ebx; retf	0_2_0036C23A
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036BA23 push ebx; retf	0_2_0036BA24
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036D02E push ebx; retf	0_2_0036D02F
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C41F push ebx; retf	0_2_0036C420
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036BC06 push ebx; retf	0_2_0036BC07
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C602 push ebx; retf	0_2_0036C603
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036CC62 push ebx; retf	0_2_0036CC63
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036B64F push ebx; retf	0_2_0036B650
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C04B push ebx; retf	0_2_0036C04C
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036CE4B push ebx; retf	0_2_0036CE4C
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036B6F4 push ebx; retf	0_2_0036B6F5
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C0F0 push ebx; retf	0_2_0036C0F1
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036B8E1 push ebx; retf	0_2_0036B8E2
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036CEEC push ebx; retf	0_2_0036CEED
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_003686E9 push ebx; retf	0_2_003686EA
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C2DD push ebx; retf	0_2_0036C2DE
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036BAC4 push ebx; retf	0_2_0036BAC5
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C4C0 push ebx; retf	0_2_0036C4C1
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036D0CF push ebx; retf	0_2_0036D0D0
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036CB18 push ebx; retf	0_2_0036CB19
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036CD06 push ebx; retf	0_2_0036CD07
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036B503 push ebx; retf	0_2_0036B504
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C37E push ebx; retf	0_2_0036C37F
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036BB65 push ebx; retf	0_2_0036BB66
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036C561 push ebx; retf	0_2_0036C562
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_00363D4C push ebx; retf	0_2_00363D4D
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036CBBD push ebx; retf	0_2_0036CBBE
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036B5AA push ebx; retf	0_2_0036B5AB
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Code function: 0_2_0036CDAA push ebx; retf	0_2_0036CDAB

Source: initial sample

Static PE information: section name: .text entropy: 7.70966498297

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLun			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLun			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.#4500499953.exe PID: 7012, type: MEMORY
Source: Yara match	File source: 0.2.PO.#4500499953.exe.274b38c.1.raw.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PO.#4500499953.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9230			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 584			Jump to behavior

Source: C:\Users\user\Desktop\PO.#4500499953.exe TID: 7016	Thread sleep time: -99621s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe TID: 7044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 7132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO.#4500499953.exe	Thread delayed: delay time: 99621	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.919984659.0000000005AB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000001.00000002.919984659.0000000005AB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000001.00000002.919984659.0000000005AB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000001.00000002.920264191.0000000005BB5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000001.00000002.919984659.0000000005AB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO.#4500499953.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00D38970 LdrInitializeThunk,

1_2_00D38970

Source: C:\Users\user\Desktop\PO.#4500499953.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PO.#4500499953.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\PO.#4500499953.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.916265484.00000000012E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000001.00000002.916265484.00000000012E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000001.00000002.916265484.00000000012E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000001.00000002.916265484.00000000012E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO.#4500499953.exe	Queries volume information: C:\Users\user\Desktop\PO.#4500499953.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.#4500499953.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO.#4500499953.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.659524646.0000000003729000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PO.#4500499953.exe.3842ad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.#4500499953.exe.3842ad8.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.659524646.0000000003729000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.#4500499953.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7096, type: MEMORY
Source: Yara match	File source: 0.2.PO.#4500499953.exe.3842ad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.#4500499953.exe.3842ad8.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7096, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.659524646.0000000003729000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PO.#4500499953.exe.3842ad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.#4500499953.exe.3842ad8.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.659524646.0000000003729000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.#4500499953.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7096, type: MEMORY
Source: Yara match	File source: 0.2.PO.#4500499953.exe.3842ad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.#4500499953.exe.3842ad8.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection12	File and Directory Permissions Modification1	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	Input Capture1	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Credentials in Registry1	Security Software Discovery211	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion131	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO.#4500499953.exe	32%	Virustotal		Browse
PO.#4500499953.exe	40%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
PO.#4500499953.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
wasstech.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://wZhClIFSimrbT.com	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://wasstech.com	0%	Virustotal		Browse
http://wasstech.com	0%	Avira URL Cloud	safe
http://swoEaw.com	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wasstech.com	204.93.196.181	true	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://wZhClIFSimrbT.com	RegSvcs.exe, 00000001.00000002.917213367.0000000002C8B000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.917230712.0000000002C93000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.letsencrypt.org0	RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://wasstech.com	RegSvcs.exe, 00000001.00000002.917142846.0000000002C67000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://swoEaw.com	RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO.#4500499953.exe, 00000000.00000002.658913936.0000000002721000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	PO.#4500499953.exe, 00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp, RegSvcs.exe, 00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	PO.#4500499953.exe, 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp	false		high
https://api.ipify.org%$	RegSvcs.exe, 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://cps.root-x1.letsencrypt.org0	RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0	RegSvcs.exe, 00000001.00000002.920358509.0000000005C09000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
204.93.196.181	wasstech.com	United States		23352	SERVERCENTRALUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412549
Start date:	12.05.2021
Start time:	19:11:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO.#4500499953.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0%) Quality average: 45.2% Quality standard deviation: 46.2%
HCA Information:	Successful, ratio: 99% Number of executed functions: 73 Number of non-executed functions: 11
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.88.21.125, 204.79.197.222, 52.113.196.254, 13.107.3.254, 13.107.246.254, 92.122.145.220, 104.43.139.144, 52.255.188.83, 20.82.210.154, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 2.20.143.16, 2.20.142.209, 20.50.102.62 Excluded domains from analysis (whitelisted): fp.msedge.net, au.download.windowsupdate.com.edgesuite.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, a-0019.a-msedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, a-0019.standard.a-msedge.net, audownload.windowsupdate.nsatc.net, 1.perf.msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:11:56	API Interceptor	1x Sleep call for process: PO.#4500499953.exe modified
19:12:12	API Interceptor	750x Sleep call for process: RegSvcs.exe modified
19:12:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
19:12:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
204.93.196.181	38RFQ_ENG_SEP_2019_73647384389293.exe	Get hash	malicious	Browse	av-gearhouse.com/app/Panel/five/fre.php
204.93.196.181	51Bank_Copy_736473828243.exe	Get hash	malicious	Browse	av-gearhouse.com/app/Panel/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wasstech.com	PO.#4500499953.exe	Get hash	malicious	Browse	204.93.196.181
	PO.#4500499953.exe	Get hash	malicious	Browse	204.93.196.181
	tAe9xfvtm6kVwfA.exe	Get hash	malicious	Browse	204.93.196.181
	tAe9xfvtm6kVwfA.exe	Get hash	malicious	Browse	204.93.196.181
	PO.#4500499953.exe	Get hash	malicious	Browse	204.93.196.181
	GRACE $$$.exe	Get hash	malicious	Browse	204.93.196.181
	PO.#4500499953.exe	Get hash	malicious	Browse	204.93.196.181
	vkFhiUvXw8joCXn.exe	Get hash	malicious	Browse	204.93.196.181
	4Umt5Jw6SGMBy9A.exe	Get hash	malicious	Browse	204.93.196.181
	moni $$.exe	Get hash	malicious	Browse	204.93.196.181
	PAYMENT INSTRUCTIONS COPY.exe	Get hash	malicious	Browse	204.93.196.181
	TwLWwzIEHiJyihI.exe	Get hash	malicious	Browse	204.93.196.181
	PMSHIPPING DOCUMENT & PL.exe	Get hash	malicious	Browse	204.93.196.181
	aljzoINHqTRw1IT.exe	Get hash	malicious	Browse	204.93.196.181
	proforma invoice.exe	Get hash	malicious	Browse	204.93.196.181
	12345$$.exe	Get hash	malicious	Browse	204.93.196.181
	Helena order AW2021 Copy.exe	Get hash	malicious	Browse	204.93.196.181
	SecuriteInfo.com.Trojan.Win32.Save.a.1532.exe	Get hash	malicious	Browse	204.93.196.181
	payment copy.exe	Get hash	malicious	Browse	204.93.196.181
	PI.exe	Get hash	malicious	Browse	204.93.196.181

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SERVERCENTRALUS	PO.#4500499953.exe	Get hash	malicious	Browse	204.93.196.181
	PO.#4500499953.exe	Get hash	malicious	Browse	204.93.196.181
	tAe9xfvtm6kVwfA.exe	Get hash	malicious	Browse	204.93.196.181
	tAe9xfvtm6kVwfA.exe	Get hash	malicious	Browse	204.93.196.181
	PO.#4500499953.exe	Get hash	malicious	Browse	204.93.196.181
	GRACE $$$.exe	Get hash	malicious	Browse	204.93.196.181
	SEFCD_20210510_082736 OVERSEAS IMPORT QUOTE REQUEST.exe	Get hash	malicious	Browse	216.246.112.165
	PO.#4500499953.exe	Get hash	malicious	Browse	204.93.196.181
	vkFhiUvXw8joCXn.exe	Get hash	malicious	Browse	204.93.196.181
	WAkePI6vWufG5Bb.exe	Get hash	malicious	Browse	50.31.188.30
	PI.479363_003.exe	Get hash	malicious	Browse	66.225.201.69
	4Umt5Jw6SGMBy9A.exe	Get hash	malicious	Browse	204.93.196.181
	moni $$.exe	Get hash	malicious	Browse	204.93.196.181
	PAYMENT INSTRUCTIONS COPY.exe	Get hash	malicious	Browse	204.93.196.181
	TwLWwzIEHiJyihI.exe	Get hash	malicious	Browse	204.93.196.181
	D3094F4CDE32854F985A9DCA4D520ADEFE3F561C30ABA.exe	Get hash	malicious	Browse	198.38.94.115
	PMSHIPPING DOCUMENT & PL.exe	Get hash	malicious	Browse	204.93.196.181
	aljzoINHqTRw1IT.exe	Get hash	malicious	Browse	204.93.196.181
	proforma invoice.exe	Get hash	malicious	Browse	204.93.196.181
	12345$$.exe	Get hash	malicious	Browse	204.93.196.181

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\NXLun\NXLun.exe	invoice.exe	Get hash	malicious	Browse
	70654 SSEBACIC EGYPT.exe	Get hash	malicious	Browse
	Booking.exe	Get hash	malicious	Browse
	Order - HOM-OS-20-21-5-12.exe	Get hash	malicious	Browse
	PO.#4500499953.exe	Get hash	malicious	Browse
	PO.#4500499953.exe	Get hash	malicious	Browse
	RFQ.exe	Get hash	malicious	Browse
	DHL_Telex Release BL.exe	Get hash	malicious	Browse
	Booking.exe	Get hash	malicious	Browse
	PaymentConfirmation.exe	Get hash	malicious	Browse
	tAe9xfvtm6kVwfA.exe	Get hash	malicious	Browse
	ouCeNMzxAW8tbEx.exe	Get hash	malicious	Browse
	Payment_Advice.exe	Get hash	malicious	Browse
	Ningbo_Overdue_Payments.exe	Get hash	malicious	Browse
	SOA.exe.gz.exe	Get hash	malicious	Browse
	PO 4500379537.exe	Get hash	malicious	Browse
	tAe9xfvtm6kVwfA.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	PO.#4500499953.exe	Get hash	malicious	Browse
	GRACE $$$.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.#4500499953.exe.log Download File
Process:	C:\Users\user\Desktop\PO.#4500499953.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: invoice.exe, Detection: malicious, Browse Filename: 70654 SSEBACIC EGYPT.exe, Detection: malicious, Browse Filename: Booking.exe, Detection: malicious, Browse Filename: Order - HOM-OS-20-21-5-12.exe, Detection: malicious, Browse Filename: PO.#4500499953.exe, Detection: malicious, Browse Filename: PO.#4500499953.exe, Detection: malicious, Browse Filename: RFQ.exe, Detection: malicious, Browse Filename: DHL_Telex Release BL.exe, Detection: malicious, Browse Filename: Booking.exe, Detection: malicious, Browse Filename: PaymentConfirmation.exe, Detection: malicious, Browse Filename: tAe9xfvtm6kVwfA.exe, Detection: malicious, Browse Filename: ouCeNMzxAW8tbEx.exe, Detection: malicious, Browse Filename: Payment_Advice.exe, Detection: malicious, Browse Filename: Ningbo_Overdue_Payments.exe, Detection: malicious, Browse Filename: SOA.exe.gz.exe, Detection: malicious, Browse Filename: PO 4500379537.exe, Detection: malicious, Browse Filename: tAe9xfvtm6kVwfA.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: PO.#4500499953.exe, Detection: malicious, Browse Filename: GRACE $$$.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	11
Entropy (8bit):	2.663532754804255
Encrypted:	false
SSDEEP:	3:iLE:iLE
MD5:	B24D295C1F84ECBFB566103374FB91C5
SHA1:	6A750D3F8B45C240637332071D34B403FA1FF55A
SHA-256:	4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
SHA-512:	9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
Malicious:	true
Preview:	..127.0.0.1

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.360122759968543
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PO.#4500499953.exe
File size:	795136
MD5:	3b920d971cef2b8e6ff4bb93f42c32da
SHA1:	86d3cd18267a89809c94c5c6b4b880b6d4794a8a
SHA256:	328426769c5f5c7565f97853d192f418a16d4bbb9fe6f67584c7aab17fc79eff
SHA512:	960e5e98a1e7678577d0d765200f662cf8b42a84fb615152c7c16017d328325de09ba76e02f6eaf1ee9c314fecb132e479119a9ad060080525c22df8f34d0a81
SSDEEP:	12288:cE3rojxr36oW/a9eQj15XEFvyDNFDjhj4LvDX9sBM7wkKnAu474:Q36oW/agA0aF5U5sBAj0AV4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................z..........n.... ........@.. ....................................@................................

File Icon


Icon Hash:	cc92316d713396e8

Static PE Info

General
Entrypoint:	0x4a996e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609BD487 [Wed May 12 13:13:43 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa9914	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x1a3c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7974	0xa7a00	False	0.816795127237	data	7.70966498297	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x1a3c8	0x1a400	False	0.141722470238	data	3.02305233159	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xac220	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xac688	0x162a	PNG image data, 256 x 256, 8-bit colormap, non-interlaced
RT_ICON	0xadcb4	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb025c	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb1304	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xc1b2c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xc5d54	0x5a	data
RT_VERSION	0xc5db0	0x36c	data
RT_MANIFEST	0xc611c	0x2aa	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020
Assembly Version	1.0.0.0
InternalName	IResourceReader.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	LibraryManagementSystem
ProductVersion	1.0.0.0
FileDescription	LibraryManagementSystem
OriginalFilename	IResourceReader.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 19:13:41.991179943 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:42.137243032 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:42.137403965 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:42.471898079 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:42.472305059 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:42.618033886 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:42.618376017 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:42.769876003 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:42.817224026 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:42.855654001 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:43.022999048 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:43.023030996 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:43.023196936 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:43.023355007 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:43.032483101 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:43.178498030 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:43.223392010 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:43.508569002 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:43.655986071 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:43.657286882 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:43.803972960 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:43.805229902 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:43.961558104 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:43.963013887 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:44.108511925 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:44.109119892 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:44.259824991 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:44.260360003 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:44.405968904 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:44.408756018 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:44.408946037 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:44.409893036 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:44.410027027 CEST	49770	587	192.168.2.4	204.93.196.181
May 12, 2021 19:13:44.554506063 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:44.554533005 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:44.555505991 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:44.555521965 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:44.612154961 CEST	587	49770	204.93.196.181	192.168.2.4
May 12, 2021 19:13:44.661021948 CEST	49770	587	192.168.2.4	204.93.196.181

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 19:11:46.560538054 CEST	59123	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:46.613497019 CEST	53	59123	8.8.8.8	192.168.2.4
May 12, 2021 19:11:46.697056055 CEST	53157	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:46.750694036 CEST	53	53157	8.8.8.8	192.168.2.4
May 12, 2021 19:11:47.719820023 CEST	54531	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:47.768543005 CEST	53	54531	8.8.8.8	192.168.2.4
May 12, 2021 19:11:48.848455906 CEST	49714	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:48.897243023 CEST	53	49714	8.8.8.8	192.168.2.4
May 12, 2021 19:11:49.108866930 CEST	58028	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:49.157727003 CEST	53	58028	8.8.8.8	192.168.2.4
May 12, 2021 19:11:49.425779104 CEST	53097	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:49.476300001 CEST	53	53097	8.8.8.8	192.168.2.4
May 12, 2021 19:11:49.645306110 CEST	49257	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:49.697108984 CEST	53	49257	8.8.8.8	192.168.2.4
May 12, 2021 19:11:50.515705109 CEST	62389	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:50.567337990 CEST	53	62389	8.8.8.8	192.168.2.4
May 12, 2021 19:11:51.687587023 CEST	49910	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:51.758534908 CEST	53	49910	8.8.8.8	192.168.2.4
May 12, 2021 19:11:52.532763004 CEST	55854	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:52.585115910 CEST	53	55854	8.8.8.8	192.168.2.4
May 12, 2021 19:11:53.480865955 CEST	64549	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:53.532500982 CEST	53	64549	8.8.8.8	192.168.2.4
May 12, 2021 19:11:54.670490980 CEST	63153	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:54.719238043 CEST	53	63153	8.8.8.8	192.168.2.4
May 12, 2021 19:11:55.955077887 CEST	52991	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:56.003916025 CEST	53	52991	8.8.8.8	192.168.2.4
May 12, 2021 19:11:56.968161106 CEST	53700	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:57.025139093 CEST	53	53700	8.8.8.8	192.168.2.4
May 12, 2021 19:11:58.146425962 CEST	51726	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:58.196830988 CEST	53	51726	8.8.8.8	192.168.2.4
May 12, 2021 19:11:59.152664900 CEST	56794	53	192.168.2.4	8.8.8.8
May 12, 2021 19:11:59.203181982 CEST	53	56794	8.8.8.8	192.168.2.4
May 12, 2021 19:12:00.093301058 CEST	56534	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:00.144956112 CEST	53	56534	8.8.8.8	192.168.2.4
May 12, 2021 19:12:01.348340034 CEST	56627	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:01.397124052 CEST	53	56627	8.8.8.8	192.168.2.4
May 12, 2021 19:12:02.575714111 CEST	56621	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:02.624598980 CEST	53	56621	8.8.8.8	192.168.2.4
May 12, 2021 19:12:03.830370903 CEST	63116	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:03.881943941 CEST	53	63116	8.8.8.8	192.168.2.4
May 12, 2021 19:12:05.424855947 CEST	64078	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:05.473939896 CEST	53	64078	8.8.8.8	192.168.2.4
May 12, 2021 19:12:06.565944910 CEST	64801	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:06.614598989 CEST	53	64801	8.8.8.8	192.168.2.4
May 12, 2021 19:12:07.706861973 CEST	61721	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:07.755686998 CEST	53	61721	8.8.8.8	192.168.2.4
May 12, 2021 19:12:09.077858925 CEST	51255	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:09.126657963 CEST	53	51255	8.8.8.8	192.168.2.4
May 12, 2021 19:12:20.019465923 CEST	61522	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:20.087618113 CEST	53	61522	8.8.8.8	192.168.2.4
May 12, 2021 19:12:24.139097929 CEST	52337	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:24.201580048 CEST	53	52337	8.8.8.8	192.168.2.4
May 12, 2021 19:12:37.421685934 CEST	55046	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:37.543559074 CEST	53	55046	8.8.8.8	192.168.2.4
May 12, 2021 19:12:38.091434002 CEST	49612	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:38.193160057 CEST	53	49612	8.8.8.8	192.168.2.4
May 12, 2021 19:12:38.442490101 CEST	49285	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:38.508245945 CEST	53	49285	8.8.8.8	192.168.2.4
May 12, 2021 19:12:38.824119091 CEST	50601	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:38.874001026 CEST	53	50601	8.8.8.8	192.168.2.4
May 12, 2021 19:12:39.363362074 CEST	60875	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:39.423999071 CEST	53	60875	8.8.8.8	192.168.2.4
May 12, 2021 19:12:39.963660955 CEST	56448	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:40.022229910 CEST	53	56448	8.8.8.8	192.168.2.4
May 12, 2021 19:12:40.555607080 CEST	59172	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:40.614803076 CEST	53	59172	8.8.8.8	192.168.2.4
May 12, 2021 19:12:41.065171957 CEST	62420	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:41.122307062 CEST	53	62420	8.8.8.8	192.168.2.4
May 12, 2021 19:12:41.617177963 CEST	60579	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:41.679270983 CEST	53	60579	8.8.8.8	192.168.2.4
May 12, 2021 19:12:41.964780092 CEST	50183	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:42.025053978 CEST	53	50183	8.8.8.8	192.168.2.4
May 12, 2021 19:12:43.578788996 CEST	61531	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:43.629034996 CEST	53	61531	8.8.8.8	192.168.2.4
May 12, 2021 19:12:44.799892902 CEST	49228	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:44.848611116 CEST	53	49228	8.8.8.8	192.168.2.4
May 12, 2021 19:12:54.243799925 CEST	59794	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:54.301158905 CEST	53	59794	8.8.8.8	192.168.2.4
May 12, 2021 19:12:54.545128107 CEST	55916	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:54.611748934 CEST	53	55916	8.8.8.8	192.168.2.4
May 12, 2021 19:12:57.026010990 CEST	52752	53	192.168.2.4	8.8.8.8
May 12, 2021 19:12:57.087960958 CEST	53	52752	8.8.8.8	192.168.2.4
May 12, 2021 19:13:29.525259972 CEST	60542	53	192.168.2.4	8.8.8.8
May 12, 2021 19:13:29.579981089 CEST	53	60542	8.8.8.8	192.168.2.4
May 12, 2021 19:13:32.090176105 CEST	60689	53	192.168.2.4	8.8.8.8
May 12, 2021 19:13:32.181982994 CEST	53	60689	8.8.8.8	192.168.2.4
May 12, 2021 19:13:41.710572958 CEST	64206	53	192.168.2.4	8.8.8.8
May 12, 2021 19:13:41.876105070 CEST	53	64206	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 19:13:41.710572958 CEST	192.168.2.4	8.8.8.8	0x4dba	Standard query (0)	wasstech.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 19:11:46.750694036 CEST	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.afd.azure.com	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 19:13:41.876105070 CEST	8.8.8.8	192.168.2.4	0x4dba	No error (0)	wasstech.com		204.93.196.181	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 12, 2021 19:13:42.471898079 CEST	587	49770	204.93.196.181	192.168.2.4	220-mocha3029.mochahost.com ESMTP Exim 4.93 #2 Wed, 12 May 2021 13:13:42 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
May 12, 2021 19:13:42.472305059 CEST	49770	587	192.168.2.4	204.93.196.181	EHLO 305090
May 12, 2021 19:13:42.618033886 CEST	587	49770	204.93.196.181	192.168.2.4	250-mocha3029.mochahost.com Hello 305090 [84.17.52.78] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
May 12, 2021 19:13:42.618376017 CEST	49770	587	192.168.2.4	204.93.196.181	STARTTLS
May 12, 2021 19:13:42.769876003 CEST	587	49770	204.93.196.181	192.168.2.4	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO.#4500499953.exe PID: 7012 Parent PID: 5964

General

Start time:	19:11:54
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\PO.#4500499953.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO.#4500499953.exe'
Imagebase:	0x360000
File size:	795136 bytes
MD5 hash:	3B920D971CEF2B8E6FF4BB93F42C32DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.659929187.0000000003898000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.659524646.0000000003729000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.659524646.0000000003729000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.658940267.0000000002744000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 7096 Parent PID: 7012

General

Start time:	19:11:57
Start date:	12/05/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x650000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.915098817.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.916672093.0000000002901000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: NXLun.exe PID: 6248 Parent PID: 3424

General

Start time:	19:12:33
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
Imagebase:	0xb00000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4684 Parent PID: 6248

General

Start time:	19:12:33
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: NXLun.exe PID: 6388 Parent PID: 3424

General

Start time:	19:12:41
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
Imagebase:	0xde0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1716 Parent PID: 6388

General

Start time:	19:12:41
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO.#4500499953.exe PID: 7012 Parent PID: 5964 PO.#4500499953.exeCOMMON

Executed Functions

Function 04CDF8CC, Relevance: 4.4, Strings: 3, Instructions: 604COMMON

Download Yara Rule

Strings

D0%l, xrefs: 04CDFD65
D0%l, xrefs: 04CDFE65
D0%l, xrefs: 04CDFCD8

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID: D0%l$D0%l$D0%l
API String ID: 0-1586913657
Opcode ID: 1f5d76893639e75a508675d6dc57405d47ee04b4f80368ade38f99be564f2707
Instruction ID: 8138e123fe962cbe2100045eb7f28275419701251d1b254519ae4b976eae2991
Opcode Fuzzy Hash: 1f5d76893639e75a508675d6dc57405d47ee04b4f80368ade38f99be564f2707
Instruction Fuzzy Hash: AFF14B74A001599FCB24DF65C854BAEB7B3BF88304F158069EA46DB395EF34AD418B90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD7360, Relevance: 3.5, Strings: 2, Instructions: 1028COMMON

Download Yara Rule

Strings

,L%l, xrefs: 04CD8118
,L%l, xrefs: 04CD80D3

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID: ,L%l$,L%l
API String ID: 0-362773459
Opcode ID: 6e631b29a19e3cd054d11c0ce0d8ad0be5f20483f8118822d00c60dcc0a2592f
Instruction ID: 274dda2c5c6e4c39f2a0649be9423a510c92f67e54170d027e4e64e0317d9821
Opcode Fuzzy Hash: 6e631b29a19e3cd054d11c0ce0d8ad0be5f20483f8118822d00c60dcc0a2592f
Instruction Fuzzy Hash: 93928935A012298FCB14DF69C880AAEB7F2FF89304F15C569E41AEB355D734AD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026EF640, Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f74af8ddd64a711c2159d4a02bc18c88f1b21722f123ab4352f07a57a536755a
Instruction ID: f7a14604a62e688d9e70e9c9a37802dd4b7fc8cc332d309a83eb971f43749288
Opcode Fuzzy Hash: f74af8ddd64a711c2159d4a02bc18c88f1b21722f123ab4352f07a57a536755a
Instruction Fuzzy Hash: EF126D71A01109DFCF14CFA9D994AAEBBB2FF88354F158069E8169B7A1D730ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CD73B8, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33231966d1af1157ca4a12cc430644318760987345daa042ef6bb723c6fa177
Instruction ID: fba59ce8084420fdf6604b0f3827859c4728501bca9ccfa5a1699f6eb3be7efc
Opcode Fuzzy Hash: d33231966d1af1157ca4a12cc430644318760987345daa042ef6bb723c6fa177
Instruction Fuzzy Hash: A8D18B35A006298FDB14DF79D884BAEB7F3BF88304F158569D805EB358DB34A942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CD73FD, Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525112fd18c34859f52831508a88563d0b0a88f0eebde565e4262b411bf1cf13
Instruction ID: 9a19dbb556feb4b208ee585b25763a49750ef3c4ce12dc2fabdcefb3d2777d6f
Opcode Fuzzy Hash: 525112fd18c34859f52831508a88563d0b0a88f0eebde565e4262b411bf1cf13
Instruction Fuzzy Hash: B6D19A35A006298FDB14DF79D8847AEB7F3BF88304F158569D805EB358DB34A942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CD6FE0, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039df0ad719dcc0675dc4b645e679cf542cb4f777679ef44a355996db9717780
Instruction ID: 3cae37b812cd590fc05464e3eb0cd95c90e4dcdbe9d42db2408e5166a108d2c7
Opcode Fuzzy Hash: 039df0ad719dcc0675dc4b645e679cf542cb4f777679ef44a355996db9717780
Instruction Fuzzy Hash: 837108B8D4010E9FDF14CFAAD885ABEB7B2FF48314F10A659D416EB254DB31AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 026EB000, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026EDCAA

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e832febff6e3e0a4586a600b38c606d54938af29fe2a4f5d805dc24720ac6c19
Instruction ID: 04eccae2aeb86969a484603775ea4845c8dc5744666a41abcec5a3fad4246bbf
Opcode Fuzzy Hash: e832febff6e3e0a4586a600b38c606d54938af29fe2a4f5d805dc24720ac6c19
Instruction Fuzzy Hash: BA51EFB1D00348DFDB15CFA9C884ADEBBB5FF49354F24812AE419AB210D7759846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 026EB01C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026EDCAA

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 03c99f1d7f1dad85eca162409d146772cf64a7c13e722b1bbaed996caa909b2d
Instruction ID: 950b358a5561efb4fd3533054f9ba3bd1a19800d91ea4160a253b308110b1f6a
Opcode Fuzzy Hash: 03c99f1d7f1dad85eca162409d146772cf64a7c13e722b1bbaed996caa909b2d
Instruction Fuzzy Hash: D351BFB1D00209DFDF14CF99C984ADEBBB5BF88754F24812AE919AB210D7B59845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 026EDB93, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026EDCAA

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fa096837616404d23f90b2f9b5aec85c5ce61cf4b30dad8e6b60ae4c6af30c72
Instruction ID: 7736cd4ed6ecf6abe2b4a56d95d9d61173821e4eaa9593f01d9b836263fcbabf
Opcode Fuzzy Hash: fa096837616404d23f90b2f9b5aec85c5ce61cf4b30dad8e6b60ae4c6af30c72
Instruction Fuzzy Hash: 3241C0B1D00208DFDF14CF99C884ADEBBB5FF88754F24812AE819AB210D7B59945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD3E44, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04CD3F01

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fb74cd40be08e5d2f4eb337b563356499b10611554ada956d7b8c435543e2c9e
Instruction ID: 0815477dd5e4cae0795f4e9137c4e0e19659cdc5e3483e2d9c54d18840a5003f
Opcode Fuzzy Hash: fb74cd40be08e5d2f4eb337b563356499b10611554ada956d7b8c435543e2c9e
Instruction Fuzzy Hash: 8541E4B1C0465DCFDB24CF99C94479EBBF2BF48308F108069D908AB255D7B56946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04CD2CDC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04CD3F01

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 578092205dd2bd9aae223c906dc47f9e8b69675e0fa1c09fa0d11349d8da4142
Instruction ID: 8e001f7ef51b5cdfb8bdba97a11ec9d76dca354811bcd25d23f7dbafd1becb5c
Opcode Fuzzy Hash: 578092205dd2bd9aae223c906dc47f9e8b69675e0fa1c09fa0d11349d8da4142
Instruction Fuzzy Hash: 1D4104B0C0425DCFDB24DF99C84479EBBB2FF48308F108069D908AB255D7B46945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04CD0CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04CD0D91

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 20d30c0add63f9def6f630d2bc6205bb749d9bd546ab4af247ec5a4251ade53b
Instruction ID: 7e57e8a8513e2fd38d4854588bff76f3c4d1f92908d80d2daa06a57e0af5296d
Opcode Fuzzy Hash: 20d30c0add63f9def6f630d2bc6205bb749d9bd546ab4af247ec5a4251ade53b
Instruction Fuzzy Hash: D4410BB4900209CFDB14CF5AC488A9ABBF6FB89318F15C45DE519A7321D774A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 026E5841, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026E6C9E,?,?,?,?,?), ref: 026E6D5F

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 61874a8675a44cd91ec887659de2cb7c49040092238860f766ab2f5169389941
Instruction ID: 9ece7968ccb9e00a7d0836b180f52922e8ea9407dfb805e534b14113454b796b
Opcode Fuzzy Hash: 61874a8675a44cd91ec887659de2cb7c49040092238860f766ab2f5169389941
Instruction Fuzzy Hash: 342105B5901218DFCB10CFAAD984AEEBBF8FB58324F14801AE915B3350D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026E5844, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026E6C9E,?,?,?,?,?), ref: 026E6D5F

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a36579fb167c29d0ec53c0084488b7402a6087f4e6fbae5e067c1860b7ed97c6
Instruction ID: 3a2689a3c682c9dc218da7124172ddba5cc0feef1494c4fe5cd89d45cba4c9cb
Opcode Fuzzy Hash: a36579fb167c29d0ec53c0084488b7402a6087f4e6fbae5e067c1860b7ed97c6
Instruction Fuzzy Hash: C52114B5901208AFDB10CFAAD984ADEBBF8FB48324F14801AE915B3350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026E6CD4, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026E6C9E,?,?,?,?,?), ref: 026E6D5F

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e6326679ea64d5ae8300a8300f9dc3773b4d028ff3aa5ded9865912ac638fb72
Instruction ID: 5a0ad1e1996fc80f3729def3538aafd2640adac5fdecb4abac0100d410fc1398
Opcode Fuzzy Hash: e6326679ea64d5ae8300a8300f9dc3773b4d028ff3aa5ded9865912ac638fb72
Instruction Fuzzy Hash: 9421E4B5900208AFDB10CFAAD984ADEBBF8FB48324F14801AE915B3350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026EAEE0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026EBDA9,00000800,00000000,00000000), ref: 026EBFBA

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b388295193414c490d3473f3a53f9cf2a383bfc2eed7b36833f764e20c6f162
Instruction ID: 6448d33f62b7b40849fbf7f86ca3f244e2e3f49ec911bec885dfe9619ed22cf5
Opcode Fuzzy Hash: 6b388295193414c490d3473f3a53f9cf2a383bfc2eed7b36833f764e20c6f162
Instruction Fuzzy Hash: C711C2B69052099FDB10CF9AD444B9EFBF4FB88328F14842EE516B7600C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 026EFD78, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 026EFDEB

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 525dc9eaf3e2fa887ce0b377f69a21a9c2e684bc0edeb7475fff40dc9d00f15a
Instruction ID: 6eec5a953e2b8df9b835d4efb3d67865fa5c0dba00e5b7ed7b3c80f241cf6c0c
Opcode Fuzzy Hash: 525dc9eaf3e2fa887ce0b377f69a21a9c2e684bc0edeb7475fff40dc9d00f15a
Instruction Fuzzy Hash: 0F21E7B59002499FCB10CF9AC584BDEFBF4FB48324F108429E559A7640D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026EFD70, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 026EFDEB

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e3df00fab4179d463e193b1cf81978683525d5bcf795a57186a93f6fde043913
Instruction ID: 6ef3ec2bfe2ac25479f2a5f1fc31752ed90fe104052b3a68239933422b0dd644
Opcode Fuzzy Hash: e3df00fab4179d463e193b1cf81978683525d5bcf795a57186a93f6fde043913
Instruction Fuzzy Hash: 7221D6B5D002099FDB10CF9AC584BDEBBF4FB48324F108429E959A7650D778AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026EBF4F, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026EBDA9,00000800,00000000,00000000), ref: 026EBFBA

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: caf345bfbc842d59b07f984ade4addfcc2409d2f01cfd211baa8387e512ac993
Instruction ID: dc2ecda83bc8273c6ebeeae0523da5ef5526a03d7003e1ff8c4e93b73287cf2f
Opcode Fuzzy Hash: caf345bfbc842d59b07f984ade4addfcc2409d2f01cfd211baa8387e512ac993
Instruction Fuzzy Hash: CC11D0B69002098FCB10CF9AD484ADEFBF4FB88324F14842AE529A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 026EAE88, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,026EBAFB), ref: 026EBD2E

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: eabecbd4103c609ed406f819ef56d1cb2873cd746808d9da349e00bee5dd748d
Instruction ID: b6ad546c8b4116c6f69483327803337b3668699098a5befc70b4a7b0084cd32e
Opcode Fuzzy Hash: eabecbd4103c609ed406f819ef56d1cb2873cd746808d9da349e00bee5dd748d
Instruction Fuzzy Hash: A011F0B59012498FDB10CF9AC448B9EFBF4FB88228F14842AE819B7740C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026EB054, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,026EDDC8,?,?,?,?), ref: 026EDE3D

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 48b5be4114e6c94abaf649f7eb58c7be80b4f9df3891fafc71a9781f806072eb
Instruction ID: 722cc94518034777c70c12b7ee99846f0df3d80b88b5e2219d084a50bb9bb9c4
Opcode Fuzzy Hash: 48b5be4114e6c94abaf649f7eb58c7be80b4f9df3891fafc71a9781f806072eb
Instruction Fuzzy Hash: E61103B59002089FDB10DF99D588BEFBBF8EB49324F10845AE915B7340C3B4A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 026EDDDB, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,026EDDC8,?,?,?,?), ref: 026EDE3D

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 20c6a3ea4edc3e9290519d936b980a0e981d4b47c0c722d5c868532944463b7a
Instruction ID: 2abb371e254dcaf3c7527a48ade6b10985dced92f7a2949221ea4f74a60eadf3
Opcode Fuzzy Hash: 20c6a3ea4edc3e9290519d936b980a0e981d4b47c0c722d5c868532944463b7a
Instruction Fuzzy Hash: C11103B58002098FDB10DF99D589BDFBBF8EB48324F10845AE915A7300C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CED4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658672522.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666fff9e28f1f09eb53b2f1bb850bcd03ed03d8841e14b51bbeeaef7e00a0810
Instruction ID: 7ab2a91687c706900f55987d38dbbec9cd923c092c5daac0dc5356631856931c
Opcode Fuzzy Hash: 666fff9e28f1f09eb53b2f1bb850bcd03ed03d8841e14b51bbeeaef7e00a0810
Instruction Fuzzy Hash: A42137F1504380DFCB05CF11D9C0B26BFA5FB98328F248569E9064B24AC336D946CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CFD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658700623.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2af272c73175e06ef5eb150478fdd278cae858315de315c9b0bf7c0ee97a4f
Instruction ID: e200fab627a658f61861b7bfff7a5be75e177eebddee96615286131203f6d19e
Opcode Fuzzy Hash: df2af272c73175e06ef5eb150478fdd278cae858315de315c9b0bf7c0ee97a4f
Instruction Fuzzy Hash: 232107B1504248DFDB54DF10D9C4B26BBA6FB84314F24C56DEA0A4B246CB76D847CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CFD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658700623.0000000000CFD000.00000040.00000001.sdmp, Offset: 00CFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5cf65c91b0d6b97d5efdc0fb5338a3fd07ead520bf985b8998f47230e60981
Instruction ID: 7378cdea7405ef55ad3dee6134c26332fb61351079e91e478c9f42e8fe579e65
Opcode Fuzzy Hash: 3f5cf65c91b0d6b97d5efdc0fb5338a3fd07ead520bf985b8998f47230e60981
Instruction Fuzzy Hash: FE2192755093C48FCB12CF20D994715BF71EB46314F28C5EBD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CED4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658672522.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 1fbb8671a008433600ccf63e07a5af491a6561da78485124958f328a2bd61605
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 3911D3B6504280CFCB11CF10D9C4B16BF71FB98324F2886A9D8060B616C33AD956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CED749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658672522.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248c824def4b9c0e34c4832a09a58906ffea0eec355c499d688f8c4738aeabbd
Instruction ID: 480f36c474643fcac3fefa6583e561bc8f8d89bcabb22eaab0af500dc76d4fb2
Opcode Fuzzy Hash: 248c824def4b9c0e34c4832a09a58906ffea0eec355c499d688f8c4738aeabbd
Instruction Fuzzy Hash: C601F2721083849AE7208B27CC84B66FBD8EF85324F18855AED165B24EC3B89D40C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00CED748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658672522.0000000000CED000.00000040.00000001.sdmp, Offset: 00CED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c0ea425f2e93dc9a4e603473d981c19196d26ab9657eb62c55190d9c76b01a
Instruction ID: 6a7009b5147b93473ee70499d25172d4101e0cf68de7d34339b299d3c1bd8762
Opcode Fuzzy Hash: 19c0ea425f2e93dc9a4e603473d981c19196d26ab9657eb62c55190d9c76b01a
Instruction Fuzzy Hash: C8F0C2714043849EE7108B16CCC4B62FBE8EF81734F18C15AED185F28AC3789C44CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04CD87D8, Relevance: 3.9, Strings: 3, Instructions: 175COMMON

Download Yara Rule

Strings

#dL, xrefs: 04CD886C
#dL, xrefs: 04CD8899, 04CD889F, 04CD88A7, 04CD8919
, xrefs: 04CD88EE

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID: $#dL$#dL
API String ID: 0-488775132
Opcode ID: 71c07a0f9a23ba33512e4fe5a7c1e9c66bfdfe4e268964dfbf988067c3a3b867
Instruction ID: 1f2ac56549745d09ff7354989391c5740b29ccd4bacaa80e7b3975aa229072e8
Opcode Fuzzy Hash: 71c07a0f9a23ba33512e4fe5a7c1e9c66bfdfe4e268964dfbf988067c3a3b867
Instruction Fuzzy Hash: 6851EE75B001198FCB14EF78D8846AEB7E3FBC8225B15817AD216DB359DB30ED018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00362D8B, Relevance: 2.9, Strings: 1, Instructions: 1662COMMON

Download Yara Rule

Strings

ARff, xrefs: 00363879

Memory Dump Source

Source File: 00000000.00000002.657728692.0000000000362000.00000002.00020000.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.657724084.0000000000360000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657823570.000000000040C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ARff
API String ID: 0-4204925654
Opcode ID: b8aaff66f47bb9e381c793913a6c637b813492a5e8240c869d63d9fa795a1585
Instruction ID: 481ebb56420c9fa26b0487fc4909c102bea5c4b9716856d7c84cf494d06118cf
Opcode Fuzzy Hash: b8aaff66f47bb9e381c793913a6c637b813492a5e8240c869d63d9fa795a1585
Instruction Fuzzy Hash: 7AD2331104F7C25FC7138BB49CB16D2BFB1AE5322475E89CBD4C18F0A3D2195AAAD762

Uniqueness

Uniqueness Score: -1.00%

Function 04CD84B0, Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

`$l, xrefs: 04CD852D

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID: `$l
API String ID: 0-784925101
Opcode ID: a258e86e2836d748e83cd5adbd2e36095d332a1729c9114f9da538aa451ab6a5
Instruction ID: c01e7fdc757fe6f6510c099e093ee1907d98ded2efa401eda4c144ef7f653ef6
Opcode Fuzzy Hash: a258e86e2836d748e83cd5adbd2e36095d332a1729c9114f9da538aa451ab6a5
Instruction Fuzzy Hash: F6816B36F101149FD714EB69DC90AAEB3E3AFC8714F1A8074E519DBB65DB34AC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00362538, Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.657728692.0000000000362000.00000002.00020000.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.657724084.0000000000360000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.657823570.000000000040C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd8879217c0374f29452804597a4afbe420f796d4fc108f2d744eb7a5aa46af
Instruction ID: 9d63e68faca12b73bd1de51b28bcd0dd618d3e9e09a1c35018255d11ef996d1c
Opcode Fuzzy Hash: 9bd8879217c0374f29452804597a4afbe420f796d4fc108f2d744eb7a5aa46af
Instruction Fuzzy Hash: C722682104EBD24FCB13DB746A711D1BFB1AE4321431E94CBC0C18F5A7E6165AAAE772

Uniqueness

Uniqueness Score: -1.00%

Function 026EC428, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336d4fec3dce12e31fd17b1ec977c9ea83c4ab1e5946ebd9e6fe9bb72452d1f2
Instruction ID: cb9e9764f5288b7e502480725ea2c793d5fdb4159c101e56689f87df38d2bce8
Opcode Fuzzy Hash: 336d4fec3dce12e31fd17b1ec977c9ea83c4ab1e5946ebd9e6fe9bb72452d1f2
Instruction Fuzzy Hash: 5E12B6F9412746EBE710CF65E8983A93BA1F744328F924228D2611BAD1D7BC1DCACF54

Uniqueness

Uniqueness Score: -1.00%

Function 04CDD608, Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0667260e47379aaaa1db844dea0724f21ed9471066ffb2e1fa87cb82998638c2
Instruction ID: dd5d32764032a6aff040498f232ef3c09e93c6df6e64e31aef760ef6341a24ea
Opcode Fuzzy Hash: 0667260e47379aaaa1db844dea0724f21ed9471066ffb2e1fa87cb82998638c2
Instruction Fuzzy Hash: EED11830D20A8A9ACB10EF65D950AADB3B1FFD5300F51C79AE5097B225EB707AC5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 026E98F8, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3beb49a853749ef16926df29b6a6a74ae79cc19b8ab9ebadac93da574ad8193e
Instruction ID: 70c934d4dce3b2764e8033b1258be4ac7fd78e31bd9f452a18f656f4e6634df8
Opcode Fuzzy Hash: 3beb49a853749ef16926df29b6a6a74ae79cc19b8ab9ebadac93da574ad8193e
Instruction Fuzzy Hash: D6A17D36E01219CFCF15DFA5C8845DDBBB2FF85305B15816AE806BB260EB75A946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04CDD618, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c289a19d7cc980ec950904da458bd6db2dc0b332f9a451c4302310c469b1726
Instruction ID: 77768bb3cd633d77f49201f692bef57d9ab6a8991d62b9e79e6aeb67e6beb22d
Opcode Fuzzy Hash: 2c289a19d7cc980ec950904da458bd6db2dc0b332f9a451c4302310c469b1726
Instruction Fuzzy Hash: 14D10830D20A8A9ACB10EF65D950AADB3B1FFD5300F51C79AD5097B224EB707AC5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 026EC427, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.658857855.00000000026E0000.00000040.00000001.sdmp, Offset: 026E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3f6f7511a3ea2bbe45513848ec3b21026b8a6cfd8f4fc1c6575bb5b8738dcc
Instruction ID: 8804fc764afb60b0648f814963792807535a308339565e832267518d0a22dcbb
Opcode Fuzzy Hash: 9f3f6f7511a3ea2bbe45513848ec3b21026b8a6cfd8f4fc1c6575bb5b8738dcc
Instruction Fuzzy Hash: ADC11CB9812745EBD710CF65E8883A97BB1FB85328F524328D2612B6D0D7BC19CACF54

Uniqueness

Uniqueness Score: -1.00%

Function 04CD8551, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c07a74ed4ec8c22859c25a681095de899fd15d0512eff152a2e4b8b2ec1b3dd
Instruction ID: 79aa70d68d1c5c15a3d9c3d50729d72b813876ad28b9709ab29f2e0e506d67d5
Opcode Fuzzy Hash: 4c07a74ed4ec8c22859c25a681095de899fd15d0512eff152a2e4b8b2ec1b3dd
Instruction Fuzzy Hash: 48614A36F105248FD714EB69DC90BAEB3E3AFC8714F1A8174E5159BB65DB34AC028B90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD78FF, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662730547.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe4e478d0e7ccdc77ae926170fa58507bb94fd7d7e64664e0ec1eea7a665a55
Instruction ID: 7cb06c3bedb41a1a91a47fb0602414273ba1f315e3ddd9b16c5de8e3794fb1b9
Opcode Fuzzy Hash: abe4e478d0e7ccdc77ae926170fa58507bb94fd7d7e64664e0ec1eea7a665a55
Instruction Fuzzy Hash: 76313C79A5011ACFCF14CFA9E481AAEF7F2FF49304B25E115D01AEB294DB35A901CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 7096 Parent PID: 7012 RegSvcs.exeCOMMON

Executed Functions

Function 00D38970, Relevance: 2.3, APIs: 1, Instructions: 809libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00D39190

Memory Dump Source

Source File: 00000001.00000002.915801260.0000000000D30000.00000040.00000001.sdmp, Offset: 00D30000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8457e45b94880956bbc55d852bfaf1a82ee2e78c88e48db27279a22a15e53643
Instruction ID: 5559f53c4153d7d2f0b90bbb6d7f71d0acc750b8fb3382d434d8ff690eb23f82
Opcode Fuzzy Hash: 8457e45b94880956bbc55d852bfaf1a82ee2e78c88e48db27279a22a15e53643
Instruction Fuzzy Hash: B2722A75E046198FCB24EF78C85469DB7F2AF89300F1085AAD54AAB350EF709E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02876B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02876BB0
GetCurrentThread.KERNEL32 ref: 02876BED
GetCurrentProcess.KERNEL32 ref: 02876C2A
GetCurrentThreadId.KERNEL32 ref: 02876C83

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 43849262af09cbd091ab9528a89a5bbdb2a8a331aeaa1078a1a3bd9eecc70bed
Instruction ID: edd1fe043774cc8e566fbacf95c61468264969563af53b6b3188f2881f1dd752
Opcode Fuzzy Hash: 43849262af09cbd091ab9528a89a5bbdb2a8a331aeaa1078a1a3bd9eecc70bed
Instruction Fuzzy Hash: 655146B8A006588FEB10CFAAD64879EBBF4FF89314F208559E409A7350D774A944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C8D8, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.915801260.0000000000D30000.00000040.00000001.sdmp, Offset: 00D30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91a5a9b610a295faed74730476275b4d7cec087a4f823529d745656326e2dda
Instruction ID: aba2b44fde86018b5f583c5e0325458265b5acc9bb326790315cf256dbf923d2
Opcode Fuzzy Hash: e91a5a9b610a295faed74730476275b4d7cec087a4f823529d745656326e2dda
Instruction Fuzzy Hash: 5A41F4B2E143598FCB00CBA9D8143EEBBF5AF89320F05856AD504A7351EB789845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02875184, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028752A2

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9339c238a20bf7187cc2a3af6dbcf9c6ef738c121fdd0ce2bdff0ee997b7b84a
Instruction ID: 27c1a5181855e59c244d94272a62ef5652f43601f15d3c8413f6b122304b8dfa
Opcode Fuzzy Hash: 9339c238a20bf7187cc2a3af6dbcf9c6ef738c121fdd0ce2bdff0ee997b7b84a
Instruction Fuzzy Hash: 9351E0B5D10309AFDB14CF99C884ADEFBB5FF48314F64812AE819AB210D775A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02875190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028752A2

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f0f48bda22fd50cd1030e88d2406185a4756b229b5ff9d676a3d3ee32b8bd821
Instruction ID: 433eade9b080400c01e66daae3786a5911affc20c3c42a41e35175d3a1e1802c
Opcode Fuzzy Hash: f0f48bda22fd50cd1030e88d2406185a4756b229b5ff9d676a3d3ee32b8bd821
Instruction Fuzzy Hash: 7941B0B5D103099FDF14CFA9C884ADEBBB5FF48314F64812AE819AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02876964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02877CF9

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0b8e0cc9daae211ac9f31316bfbcfdf31f3cf31df97fb1fd41c49ebc70ec54f6
Instruction ID: 8cb487ade10882705864b5a83c54c438b5577dd8e9aadbc27faa9800d38f3669
Opcode Fuzzy Hash: 0b8e0cc9daae211ac9f31316bfbcfdf31f3cf31df97fb1fd41c49ebc70ec54f6
Instruction Fuzzy Hash: 284149B9A002598FEB10CF99C488BAAFBF5FB88314F148458E519AB310C374E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02876D71, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02876DFF

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 12fb3a44fda90e6489943e5b52ed0f14781beb7a7bf01052fd43f22d786587aa
Instruction ID: dcc67944cb013e58140a032aa84a6b220c3783ac17df198dcf0642453d6a881a
Opcode Fuzzy Hash: 12fb3a44fda90e6489943e5b52ed0f14781beb7a7bf01052fd43f22d786587aa
Instruction Fuzzy Hash: AC21E4B5900218AFDB10CFA9D884ADEFBF8FB49324F14802AE915A7310D375A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02876D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02876DFF

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1410bf631180f7bfcd3e46d5882e81e0a3cf71c54db40b4fc1f5d4cf26be50e9
Instruction ID: 124f723942ce5b1751d9d46134b7d355719992d65d6790ae02e47ebef25bda4a
Opcode Fuzzy Hash: 1410bf631180f7bfcd3e46d5882e81e0a3cf71c54db40b4fc1f5d4cf26be50e9
Instruction Fuzzy Hash: D321D5B5D002189FDB10CFA9D984ADEFBF8FB49324F14841AE915A7310D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D066B8, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,05D06699,00000800), ref: 05D0672A

Memory Dump Source

Source File: 00000001.00000002.920451892.0000000005D00000.00000040.00000001.sdmp, Offset: 05D00000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b226d8dbeb05c740a55434a191296e2ee174651eba0f2e89e20cdcdccd2d1dcd
Instruction ID: 4d3ed707a03e674e1471c9698bb46236f8f678c54125b8d9e590ef523a6f0b98
Opcode Fuzzy Hash: b226d8dbeb05c740a55434a191296e2ee174651eba0f2e89e20cdcdccd2d1dcd
Instruction Fuzzy Hash: F32124B68043499FCB10CFAAC848BDEFBF4FB89320F04856AD555A7640C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0287BDE8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 9de7e079d7589645ff575153cf12c35569bd915dcf042bbf55d2fece8e37f8e4
Instruction ID: 93d44a3c5d64fd4bcb9a1e5099c4a3c15e1de448c87fbfd2ffaaeacf927f38d6
Opcode Fuzzy Hash: 9de7e079d7589645ff575153cf12c35569bd915dcf042bbf55d2fece8e37f8e4
Instruction Fuzzy Hash: 0D21AEBA8053098FDB10DFAAC8483DEBBF1FB46328F20852AD515A3341C779A445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D37D58, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00D3C92A), ref: 00D3CA17

Memory Dump Source

Source File: 00000001.00000002.915801260.0000000000D30000.00000040.00000001.sdmp, Offset: 00D30000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 090dc09f81a0e4e56990e57098d1f4dc76e4fbac3afca3710445c36cac69c4d3
Instruction ID: 7ecde829e39ad9b6bd45d12da6ccdd7502969742f5fa7c2a5e9a368d3f4bd75e
Opcode Fuzzy Hash: 090dc09f81a0e4e56990e57098d1f4dc76e4fbac3afca3710445c36cac69c4d3
Instruction Fuzzy Hash: A711F2B1C046199BCB10CF9AC4447DEFBF4EB48324F15812AE918B7240D3B8A955CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0287BDF3, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0287BE72

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: c64a41fc0f82638f528fdb5110de893c5bd6883c8df55d211fbff62950eb09a0
Instruction ID: 6ded840ffcb8687e046d69948a56ea9fe2a1fd3afd2486a102d6bb1f4ff1d89d
Opcode Fuzzy Hash: c64a41fc0f82638f528fdb5110de893c5bd6883c8df55d211fbff62950eb09a0
Instruction Fuzzy Hash: DD219A7A9013098FDB20DFAAC84879EBBF5FB49328F208429D605A3341C379A445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D057F4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,05D06699,00000800), ref: 05D0672A

Memory Dump Source

Source File: 00000001.00000002.920451892.0000000005D00000.00000040.00000001.sdmp, Offset: 05D00000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 98f35647e9a58bfe9923e8d5fbc103c6c65273189b20782d5d8b657f025711ee
Instruction ID: 69f135cdd0158761ad204e92a5f180f812ea860fbd9317a517f4eae14c4f3381
Opcode Fuzzy Hash: 98f35647e9a58bfe9923e8d5fbc103c6c65273189b20782d5d8b657f025711ee
Instruction Fuzzy Hash: C51103B69042099FDB10CF9AC448BEEFBF4EB89324F04842AE915A7740C375A555CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0287BDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0287BE72

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 976f882058504573b1eca60440369a08b0e19d93193d10b8b339cecea57b3fe9
Instruction ID: 9219b0443f2b0dd78a4b1f3e75619283f9a5ae4a8e5baf8d4fdcfa5cff7fbca2
Opcode Fuzzy Hash: 976f882058504573b1eca60440369a08b0e19d93193d10b8b339cecea57b3fe9
Instruction Fuzzy Hash: 5311AC799013098FDB20DFAAC84879EBBF5FB49328F208429D505E3741C779A845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3C9A8, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00D3C92A), ref: 00D3CA17

Memory Dump Source

Source File: 00000001.00000002.915801260.0000000000D30000.00000040.00000001.sdmp, Offset: 00D30000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 10b16cc20ee34a8c5d3c1d213428b2b1c68fe3db8415fed2d66c81947406bff2
Instruction ID: 78505ec92729fa31d644291fee92edd751e2334b2dc0c85b8a6170c71cc9c73f
Opcode Fuzzy Hash: 10b16cc20ee34a8c5d3c1d213428b2b1c68fe3db8415fed2d66c81947406bff2
Instruction Fuzzy Hash: 4C110DB2C002299BCB00CFAAC5447DEFBB4AB08224F05852AD918B7240D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02872F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02874216

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dcda868270a2c96280737d02c8a209944cadc61d0716e5560a4a8698930eaa8b
Instruction ID: 98d7548a226054bb2cc3bbae95db09888cef2a5cd25459a889ff006d9692e033
Opcode Fuzzy Hash: dcda868270a2c96280737d02c8a209944cadc61d0716e5560a4a8698930eaa8b
Instruction Fuzzy Hash: E01104B9D002498FDB10DF9AD444BDEFBF4EB49224F11842AD829B7600C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D09FE8, Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05D0A045

Memory Dump Source

Source File: 00000001.00000002.920451892.0000000005D00000.00000040.00000001.sdmp, Offset: 05D00000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c6aa7aa2ab15e61524c503293e496d5424dfcdc3cc312bc62e15c088e601d9e6
Instruction ID: 4fa891f05701563cdd7ea762a9905db527aba600f40a9722fbf62f73398863d1
Opcode Fuzzy Hash: c6aa7aa2ab15e61524c503293e496d5424dfcdc3cc312bc62e15c088e601d9e6
Instruction Fuzzy Hash: 4E1125B18043498FCB10CFA9C844BCEBFF4AB49324F14851AD559A7680D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D09090, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05D0A045

Memory Dump Source

Source File: 00000001.00000002.920451892.0000000005D00000.00000040.00000001.sdmp, Offset: 05D00000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d29134d91c3d66dcd1516064b7c5694941b3f59cf2d03caada7822fcc3f13bcf
Instruction ID: decf959b655a208f5e7dd8c2cb4b9ef1b4a84db15f6a07c34ca466d98b1225ff
Opcode Fuzzy Hash: d29134d91c3d66dcd1516064b7c5694941b3f59cf2d03caada7822fcc3f13bcf
Instruction Fuzzy Hash: 061115B19043498FDB10DF99D888BDEBBF4EB49324F14841AE519B7740D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 028741AB, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02874216

Memory Dump Source

Source File: 00000001.00000002.916513686.0000000002870000.00000040.00000001.sdmp, Offset: 02870000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 42b14f7247f782e26f65e8695fd83229609bd5c3803328eae6d2ace4d9a14d6c
Instruction ID: 2e01880b53a85edb916e183372f4765c69310cef4f79b3eb89d7c5f0cd8b41d0
Opcode Fuzzy Hash: 42b14f7247f782e26f65e8695fd83229609bd5c3803328eae6d2ace4d9a14d6c
Instruction Fuzzy Hash: AD1102BAD002098EDB10CFAAD4447DEFBF5FB48324F11842AD429B7600C378A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916058696.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d836a1a3b4e211f8abedffa8fc4f2ca6b1e21c81dafb320a1d8b05acc247e927
Instruction ID: 35e93490008f41fb627178242c4f93c1a9cfee174cb6ab33910a66be00accc4c
Opcode Fuzzy Hash: d836a1a3b4e211f8abedffa8fc4f2ca6b1e21c81dafb320a1d8b05acc247e927
Instruction Fuzzy Hash: C22106B1508240DFDB14DF10DCC0BA7BB66FB88328F248569E9055B206C336E886CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916058696.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9ab3d6610760de08b923f3721efe41b7d058b1f54cf00160bfcec979864f48
Instruction ID: 2906f3369083ff29e410b1fdc374f721fadcb0987c13bdb3d8f8edf4b7a4960d
Opcode Fuzzy Hash: 2d9ab3d6610760de08b923f3721efe41b7d058b1f54cf00160bfcec979864f48
Instruction Fuzzy Hash: AE213AB1508240DFCB05DF10DCC0FA6BFA6FB94328F248569E9055B246C336D896DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916097162.0000000000E2D000.00000040.00000001.sdmp, Offset: 00E2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf033110894e85dd8c1b45843b31a6abce7ad473af19bffa8ef0a4c05f5f5e2f
Instruction ID: 286a7ffe1c2cab48d1a4ca2a4a6d178260a5c816d2e59a52784710c42022313c
Opcode Fuzzy Hash: bf033110894e85dd8c1b45843b31a6abce7ad473af19bffa8ef0a4c05f5f5e2f
Instruction Fuzzy Hash: 1F21F5B1508240DFCB14CF10ECC4F16BBA6FB84318F24C569DA495B256C776D847CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916097162.0000000000E2D000.00000040.00000001.sdmp, Offset: 00E2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6558365aea96df9b1dedfd3f9f68daab835a457fb96760f38cc0c5706cc73b19
Instruction ID: a107e7dfdb9b1dd2a2e56bce6b9861755b43cea38aac0683788128f09e58d226
Opcode Fuzzy Hash: 6558365aea96df9b1dedfd3f9f68daab835a457fb96760f38cc0c5706cc73b19
Instruction Fuzzy Hash: 7721537550D3C08FCB12CF24D994B15BF71EB46314F28C5DAD9498B667C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916058696.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 2c8b944bda534e760aa44278facfd6ac4a1be1ae1a86057d49871a241a69bcd6
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 7F11D376508280CFCF11CF14D9C4B5ABF72FB84328F28C6A9D8051B616C336D89ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.916058696.0000000000E1D000.00000040.00000001.sdmp, Offset: 00E1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 9335ff14cbc7f3081be3c88732711d98c39bebe100b7d97070c15acb2590d522
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: A611D676504240CFCB11CF10D9C4B56BF72FB94324F24C5A9D8055B616C336D856CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: NXLun.exe PID: 6248 Parent PID: 3424 NXLun.exeCOMMON

Executed Functions

Function 02C50F38, Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

$,%l, xrefs: 02C5176D

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID: $,%l
API String ID: 0-2478089573
Opcode ID: dcc5a7af9f1bc4525a29d7b399ed605165c9186171660586682608fdae65dd8f
Instruction ID: 82c43cc6e9941fa680120117e73dd49bcbc07f2c6e9cfdd72b489c5edb123af1
Opcode Fuzzy Hash: dcc5a7af9f1bc4525a29d7b399ed605165c9186171660586682608fdae65dd8f
Instruction Fuzzy Hash: FD326334B00612CFC714EF65E8A476B73F6EBC4305B148968D95A8B398DB75EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C50728, Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb30bbf9dee62d89b55a1d95eac664190fb5fe9c08bd3904c00e1fad9641a34b
Instruction ID: d89a0837c306f7e493fc2a44bcf1f55d5eba59c05db277e8347f6f9eb257a9c7
Opcode Fuzzy Hash: cb30bbf9dee62d89b55a1d95eac664190fb5fe9c08bd3904c00e1fad9641a34b
Instruction Fuzzy Hash: 2681CF35A002558FCB259F60C81879EBBF2EF88314F058969D80AAB7A4DF31E9D5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02C50E31, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d2d74a59fa0968421cae9a637ca46460299b4dfd6376692ce079dfac7310a1
Instruction ID: 7dbc616f10910294ae0c023c5eaf3fc41f4651ceb5450a13d1797d65777ebdf5
Opcode Fuzzy Hash: 26d2d74a59fa0968421cae9a637ca46460299b4dfd6376692ce079dfac7310a1
Instruction Fuzzy Hash: 923108747401108FC759AB38C468A6D37E2AF8971931609B9E506CF7B1DF36EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C50E40, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459811ae6e0927b51e80fb2e1025c018f888283469f72cae276ce082a4049a77
Instruction ID: e9df10580136cc2f59118ce74e760c256ba37c06883f6c0603089d975fb94b85
Opcode Fuzzy Hash: 459811ae6e0927b51e80fb2e1025c018f888283469f72cae276ce082a4049a77
Instruction Fuzzy Hash: B921E6747501208FC759AB38D468A6D33E2AF8971935609B8E506CF7B1DF32EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C517F8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37c49a33dafbb89149248b69c8be4aa94756a05b7352d9096ca20d68ba8f81b
Instruction ID: 1254d216d80c7bb3d1d5dd35d1a71d60e6ec114a8c0de1f92d70ecce0f78f3ed
Opcode Fuzzy Hash: a37c49a33dafbb89149248b69c8be4aa94756a05b7352d9096ca20d68ba8f81b
Instruction Fuzzy Hash: C7116175E002159FCB04DFB9D944ADEBBF1FF89200B11866AE519A7621D730A955CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02C51808, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a8d72146e8e30e33ef2a2bad46e4e107007f19070ec0f8f76541ba1917661b
Instruction ID: ede912d596ebe35c9727e537d8ec13e8a640df6b9175eed6ba861a20e67557b0
Opcode Fuzzy Hash: 72a8d72146e8e30e33ef2a2bad46e4e107007f19070ec0f8f76541ba1917661b
Instruction Fuzzy Hash: 2A019E75E002169FCB00EFB9D8449EEFBF5FF8D2007108666E619A7320EB30A945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02C50B9C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798ed8f275d80b983e36026e016bd1cb5f46d915de3ed4011ebe3375e9e67171
Instruction ID: e03a5fe4670885179fccdf2ec969bd8f4cccd8c54b20a74c219c8f72096b860c
Opcode Fuzzy Hash: 798ed8f275d80b983e36026e016bd1cb5f46d915de3ed4011ebe3375e9e67171
Instruction Fuzzy Hash: E9F01C71A40215CFDB14DB64C1597AD7BF0AF4C318F150859D442E7391CB75AAC4CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02C50498, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd19c0ac9869c564a5cfc2ecd3619f8716af4fa87d4fa7b9362eb93c30a088d7
Instruction ID: bae48ee2020d22559b31c12a11da6762d4dd9a953a2241f87fe6cbac64912ee2
Opcode Fuzzy Hash: fd19c0ac9869c564a5cfc2ecd3619f8716af4fa87d4fa7b9362eb93c30a088d7
Instruction Fuzzy Hash: 8AE04FB1D0022AAF8B40EFB8A9041DEBBF4EA09240B4004B1DD1DE7200E3308A11CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02C516D8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12556258775e1c4054291125f3a91cac2539e12d6da9c3c07fc9ca8ff84b8e5
Instruction ID: 94df1f3137c9a033c4cfb98e52d7275bf29ce9930be289feb97e318e6b987851
Opcode Fuzzy Hash: a12556258775e1c4054291125f3a91cac2539e12d6da9c3c07fc9ca8ff84b8e5
Instruction Fuzzy Hash: B7D01735B402249FC714EB69EA09A867BA8EB49A51F1041A5EA0CCB294DB62E914CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02C504A8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.735101314.0000000002C50000.00000040.00000001.sdmp, Offset: 02C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4941cc0be80a8b94a78a276e591222f08af6b691bcc2b6d6701f34a9e8f95bb8
Instruction ID: 20a072bd4e21e004f38d72d8d5508f96a93b50f6d2fb59e6036175aae8e1d8b2
Opcode Fuzzy Hash: 4941cc0be80a8b94a78a276e591222f08af6b691bcc2b6d6701f34a9e8f95bb8
Instruction Fuzzy Hash: 61D067B2D00229AF8B40EFB999051DEBBF8EA08251B1045A6D919E3200E7709A10CBD1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: NXLun.exe PID: 6388 Parent PID: 3424 NXLun.exeCOMMON

Executed Functions

Function 014F0F38, Relevance: 1.8, Strings: 1, Instructions: 582COMMON

Download Yara Rule

Strings

$,%l, xrefs: 014F176D

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID: $,%l
API String ID: 0-2478089573
Opcode ID: f189224e3a3757330af8ff4bf1c3323fde4484bceb2bd67d633a94d11e3e4525
Instruction ID: 5dee3847c4dd32f27b6c88ac92e16a59de62fd919a0e0bd992c0b81d4658c006
Opcode Fuzzy Hash: f189224e3a3757330af8ff4bf1c3323fde4484bceb2bd67d633a94d11e3e4525
Instruction Fuzzy Hash: 4832AC34701201CFC714DF68E49466B7BB2EBC8714B55853EDA468B3A5CB79EC82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014F0728, Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6297f519735aa3f2ec1610d1ce1528c5dc27db0dfa6018c5ab82f051eb4fc002
Instruction ID: caca06a6ac41473c1cd5c4ecffc25c91e1a5e0c510ea6c4fcdeb7fe260b21f0d
Opcode Fuzzy Hash: 6297f519735aa3f2ec1610d1ce1528c5dc27db0dfa6018c5ab82f051eb4fc002
Instruction Fuzzy Hash: 7F81D134B002448FDB259BA4D41869EBBF3EFC8314F1A856EE60257775DB75AC86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 014F0E31, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230d016186e38ae1c2534075372d38a6734fd03e900660872b2846cf9566ab10
Instruction ID: b0effc177a82d78535504ed276cc23b48cab24f8560b8492486342db72b0a58c
Opcode Fuzzy Hash: 230d016186e38ae1c2534075372d38a6734fd03e900660872b2846cf9566ab10
Instruction Fuzzy Hash: D93116707402108FC759AB38D468A6D37E2AF9961931208BDE506CF7B1DB36DC82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014F0E40, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c3a8c82da2cf7587fc7acf68a277291e7ebc24331b534b2c532be28eaf80da
Instruction ID: c6597e08e7287a2166320f1559fc39da1b2557d90802bc523a754ab9eeb2f94e
Opcode Fuzzy Hash: 51c3a8c82da2cf7587fc7acf68a277291e7ebc24331b534b2c532be28eaf80da
Instruction Fuzzy Hash: 402119747401108FC759AB38D068A2D37E2AF8961931208BCE606CF771DF32EC82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014F17F8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c5f147249b49d659ba6c02cef3f1a67acf4a94fdf1945c8b77eb5c2d1e106d
Instruction ID: 18d6305493647dde12e9b7bda3bb64873ce70fd8c5ce9dcc6dd4ba1fd245897e
Opcode Fuzzy Hash: 51c5f147249b49d659ba6c02cef3f1a67acf4a94fdf1945c8b77eb5c2d1e106d
Instruction Fuzzy Hash: F5118E75E00205CFCB44DFB9E844AEEFBF1FF89310B11866AE519A7621D734A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F1808, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48b17155b87ecea059bda5295d8d3fab2cb512f070d19ab53af9e28fffbcaff
Instruction ID: a7941b4882a80ea9faa3f1792f4f5d17cbba422cb13481ec8ffb31e6fcb7a149
Opcode Fuzzy Hash: f48b17155b87ecea059bda5295d8d3fab2cb512f070d19ab53af9e28fffbcaff
Instruction Fuzzy Hash: B0016939E00205DFCB00DFA9E8449AAFBF5FF89210710826AE519A7220EB34A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014F0480, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be67b0cd7b7712064eccd966e55217259a5ef5a08feaed45a0942549c6cedd17
Instruction ID: 62e7ea88acffb9dda92674e404fe4599b790ae8ab2aac86a68cb7ee2de61d21b
Opcode Fuzzy Hash: be67b0cd7b7712064eccd966e55217259a5ef5a08feaed45a0942549c6cedd17
Instruction Fuzzy Hash: 55016D60D4E3845FCB228BB868101EE7FF1A986210B0945BBD595DB363D2684D0987A3

Uniqueness

Uniqueness Score: -1.00%

Function 014F0B9C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41676c72e771b6f915ce004e1f365999a49f141ca9c7e6bd7bc90ac598d0287
Instruction ID: 8c20944ef0f8a768a791aa7773d8792dfa1a2b2320e0a980d1d53d288a1d75cc
Opcode Fuzzy Hash: b41676c72e771b6f915ce004e1f365999a49f141ca9c7e6bd7bc90ac598d0287
Instruction Fuzzy Hash: 76F01270904205CFDB24DF64C05979E7BF1AF48218F190459E542A73B5CBB45985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014F16D8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17eed0ac5884dd13129ebbd393c9024544d1caa7cb4e3d2693de1ba3d6c4491a
Instruction ID: 7aabb10f4762d14e38bebaf788aa63d3167ac0834d7a29b9ffb9b898d83b4484
Opcode Fuzzy Hash: 17eed0ac5884dd13129ebbd393c9024544d1caa7cb4e3d2693de1ba3d6c4491a
Instruction Fuzzy Hash: 12D012357002149FC714EB68E909A867BA8EB49A51F514055EA08DB365DB71DC14C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 014F04A8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.756809878.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56ec7f5187937a4abfff45355ededa3d03166d8bc81430ecec3a028cf91a636
Instruction ID: d8f953f956d07e49722e77651ff06d5dcf0b90cc730c465573b8f8163e85af03
Opcode Fuzzy Hash: d56ec7f5187937a4abfff45355ededa3d03166d8bc81430ecec3a028cf91a636
Instruction Fuzzy Hash: 17D017B1D00229AF8B40EFB899051DEBBF8EA48250B1004B6DA19E3200E2704A108BD1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO.#4500499953.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre