Play interactive tour

Edit tour

Analysis Report PO #R58490.exe

Overview

General Information

Sample Name:	PO #R58490.exe
Analysis ID:	433199
MD5:	5cff42958cd317e239d575732f7f9114
SHA1:	dec2ad475f2989f5096e02e00b45b265dd10c8c0
SHA256:	8636a1af1afb3fa83c218cbc4a18f37782b835d4ab8b27148d6f99cb849453a3
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Installs a global keyboard hook

Machine Learning detection for sample

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

PO #R58490.exe (PID: 5396 cmdline: 'C:\Users\user\Desktop\PO #R58490.exe' MD5: 5CFF42958CD317E239D575732F7F9114)

PO #R58490.exe (PID: 4724 cmdline: C:\Users\user\Desktop\PO #R58490.exe MD5: 5CFF42958CD317E239D575732F7F9114)

PO #R58490.exe (PID: 3840 cmdline: C:\Users\user\Desktop\PO #R58490.exe MD5: 5CFF42958CD317E239D575732F7F9114)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "mmardones@cavilum.cl", "Password": "Cavilum4313", "Host": "mail.cavilum.cl"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO #R58490.exe PID: 5396	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO #R58490.exe PID: 5396	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO #R58490.exe PID: 3840	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO #R58490.exe PID: 3840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.PO #R58490.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.PO #R58490.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.PO #R58490.exe.3c75d68.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.PO #R58490.exe.3c75d68.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.PO #R58490.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.PO #R58490.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.PO #R58490.exe.3c75d68.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.PO #R58490.exe.3c75d68.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.PO #R58490.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mmardones@cavilum.cl", "Password": "Cavilum4313", "Host": "mail.cavilum.cl"}

Multi AV Scanner detection for submitted file

Show sources

Source: PO #R58490.exe	Virustotal: Detection: 31%			Perma Link
Source: PO #R58490.exe	ReversingLabs: Detection: 34%

Machine Learning detection for sample

Show sources

Source: PO #R58490.exe

Joe Sandbox ML: detected

Source: 4.2.PO #R58490.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.PO #R58490.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Source: PO #R58490.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: PO #R58490.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: MessageData.pdb source: PO #R58490.exe

Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04BF1F98
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04BF3538
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04BF3528
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04BF1F87

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 186.64.116.165:587

Source: Joe Sandbox View

IP Address: 186.64.116.165 186.64.116.165

Source: Joe Sandbox View

ASN Name: ZAMLTDACL ZAMLTDACL

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 186.64.116.165:587

Source: unknown

DNS traffic detected: queries for: mail.cavilum.cl

Source: PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: PO #R58490.exe, 00000004.00000002.475838803.0000000002D92000.00000004.00000001.sdmp	String found in binary or memory: http://mail.cavilum.cl
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0#
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: PO #R58490.exe, 00000001.00000002.213257824.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	String found in binary or memory: http://xUGEzQ.com
Source: PO #R58490.exe, 00000004.00000002.475566216.0000000002D31000.00000004.00000001.sdmp	String found in binary or memory: https://49Z9TKhGLJ3VymNKQj.org
Source: PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%x
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: PO #R58490.exe, 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp, PO #R58490.exe, 00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO #R58490.exe

Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 4.2.PO #R58490.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b4CBB2D31u002d148Au002d425Bu002d9E13u002dA0334C574922u007d/u0037E4B068Cu002dA301u002d4858u002d83C3u002d09A6DFCD7C4F.cs	Large array initialization: .cctor: array initializer size 11981
Source: 4.0.PO #R58490.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b4CBB2D31u002d148Au002d425Bu002d9E13u002dA0334C574922u007d/u0037E4B068Cu002dA301u002d4858u002d83C3u002d09A6DFCD7C4F.cs	Large array initialization: .cctor: array initializer size 11981

Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 1_2_0108C748	1_2_0108C748
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 1_2_0108AD78	1_2_0108AD78
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 1_2_04BF2850	1_2_04BF2850
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 1_2_04BF0032	1_2_04BF0032
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 1_2_04BF0040	1_2_04BF0040
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 1_2_04BF023D	1_2_04BF023D
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 1_2_04BF0201	1_2_04BF0201
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B5D4D8	4_2_00B5D4D8
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B580C0	4_2_00B580C0
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B5B030	4_2_00B5B030
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B53630	4_2_00B53630
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B50BB0	4_2_00B50BB0
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B5A5F0	4_2_00B5A5F0
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B57528	4_2_00B57528
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E760F8	4_2_00E760F8
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E76830	4_2_00E76830
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E75AC1	4_2_00E75AC1
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E7EF38	4_2_00E7EF38
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E7D898	4_2_00E7D898
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F200CA	4_2_00F200CA
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F28938	4_2_00F28938
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F24B50	4_2_00F24B50
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F259B8	4_2_00F259B8
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F259A8	4_2_00F259A8
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F29AA8	4_2_00F29AA8
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F27780	4_2_00F27780
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F2EB60	4_2_00F2EB60
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F3E1C8	4_2_00F3E1C8
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F30DC8	4_2_00F30DC8
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F39268	4_2_00F39268

Source: PO #R58490.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: PO #R58490.exe, 00000001.00000002.217049674.0000000005DA0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs PO #R58490.exe
Source: PO #R58490.exe, 00000001.00000000.201416244.0000000000912000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMessageData.exe< vs PO #R58490.exe
Source: PO #R58490.exe, 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs PO #R58490.exe
Source: PO #R58490.exe, 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamelOQFXsEdnXbPfrLurEHOqbAcVpqnQnZ.exe4 vs PO #R58490.exe
Source: PO #R58490.exe, 00000002.00000000.209746324.00000000003A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMessageData.exe< vs PO #R58490.exe
Source: PO #R58490.exe, 00000004.00000002.473573012.0000000000EA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO #R58490.exe
Source: PO #R58490.exe, 00000004.00000002.470468038.0000000000722000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMessageData.exe< vs PO #R58490.exe
Source: PO #R58490.exe, 00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamelOQFXsEdnXbPfrLurEHOqbAcVpqnQnZ.exe4 vs PO #R58490.exe
Source: PO #R58490.exe, 00000004.00000002.470594304.0000000000AF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO #R58490.exe
Source: PO #R58490.exe, 00000004.00000002.473487396.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs PO #R58490.exe
Source: PO #R58490.exe, 00000004.00000002.473502616.0000000000E50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs PO #R58490.exe
Source: PO #R58490.exe	Binary or memory string: OriginalFilenameMessageData.exe< vs PO #R58490.exe

Source: PO #R58490.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: PO #R58490.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: PO #R58490.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: PO #R58490.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.PO #R58490.exe.830000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.PO #R58490.exe.830000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.PO #R58490.exe.830000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.PO #R58490.exe.830000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.PO #R58490.exe.2c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.PO #R58490.exe.2c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.PO #R58490.exe.2c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.PO #R58490.exe.2c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.PO #R58490.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.PO #R58490.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@5/2@1/1

Source: C:\Users\user\Desktop\PO #R58490.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO #R58490.exe.log

Jump to behavior

Source: PO #R58490.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO #R58490.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO #R58490.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO #R58490.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: PO #R58490.exe	Virustotal: Detection: 31%
Source: PO #R58490.exe	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\PO #R58490.exe 'C:\Users\user\Desktop\PO #R58490.exe'
Source: C:\Users\user\Desktop\PO #R58490.exe	Process created: C:\Users\user\Desktop\PO #R58490.exe C:\Users\user\Desktop\PO #R58490.exe
Source: C:\Users\user\Desktop\PO #R58490.exe	Process created: C:\Users\user\Desktop\PO #R58490.exe C:\Users\user\Desktop\PO #R58490.exe
Source: C:\Users\user\Desktop\PO #R58490.exe	Process created: C:\Users\user\Desktop\PO #R58490.exe C:\Users\user\Desktop\PO #R58490.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process created: C:\Users\user\Desktop\PO #R58490.exe C:\Users\user\Desktop\PO #R58490.exe	Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO #R58490.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO #R58490.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: PO #R58490.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: MessageData.pdb source: PO #R58490.exe

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: PO #R58490.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.0.PO #R58490.exe.830000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.2.PO #R58490.exe.830000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.0.PO #R58490.exe.2c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 2.2.PO #R58490.exe.2c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.2.PO #R58490.exe.640000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.PO #R58490.exe.640000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.PO #R58490.exe.640000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B5A4AA push eax; retf	4_2_00B5A4B1
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B5ECF0 push ebx; iretd	4_2_00B5ED8E
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B5C436 push 4800B3DBh; retf	4_2_00B5C43D
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B561B0 push edi; iretd	4_2_00B561FE
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B5A5E6 push 9000B3CCh; retf	4_2_00B5A5ED
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B5EE08 push ebx; iretd	4_2_00B5EE16
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B56380 push esp; retf	4_2_00B56915
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00B50B68 push edi; iretd	4_2_00B50B76
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E70034 push esp; iretd	4_2_00E7003E
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E7D55A push ebp; iretd	4_2_00E7D559
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E7B517 push edi; retn 0000h	4_2_00E7B519
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E7D51A push ebp; iretd	4_2_00E7D559
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00E7D37E pushfd ; retf	4_2_00E7D38D
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F312C0 push esp; iretd	4_2_00F3134E
Source: C:\Users\user\Desktop\PO #R58490.exe	Code function: 4_2_00F31802 push edx; iretd	4_2_00F31A16

Source: initial sample

Static PE information: section name: .text entropy: 7.85720013511

Source: PO #R58490.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'oDAuwt', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.0.PO #R58490.exe.830000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'oDAuwt', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.2.PO #R58490.exe.830000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'oDAuwt', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 2.0.PO #R58490.exe.2c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'oDAuwt', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 2.2.PO #R58490.exe.2c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'oDAuwt', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 4.2.PO #R58490.exe.640000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'oDAuwt', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 4.0.PO #R58490.exe.640000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'oDAuwt', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 4.0.PO #R58490.exe.640000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'oDAuwt', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Source: C:\Users\user\Desktop\PO #R58490.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #R58490.exe PID: 5396, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PO #R58490.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe	Window / User API: threadDelayed 1785			Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Window / User API: threadDelayed 8078			Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe TID: 4812	Thread sleep time: -99553s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe TID: 6104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe TID: 2172	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe TID: 5936	Thread sleep count: 1785 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe TID: 5936	Thread sleep count: 8078 > 30	Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO #R58490.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO #R58490.exe	Thread delayed: delay time: 99553	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PO #R58490.exe, 00000004.00000002.473441492.0000000000E08000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCaps
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\PO #R58490.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe

Code function: 4_2_00B580C0 LdrInitializeThunk,

4_2_00B580C0

Source: C:\Users\user\Desktop\PO #R58490.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe	Process created: C:\Users\user\Desktop\PO #R58490.exe C:\Users\user\Desktop\PO #R58490.exe			Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Process created: C:\Users\user\Desktop\PO #R58490.exe C:\Users\user\Desktop\PO #R58490.exe			Jump to behavior

Source: PO #R58490.exe, 00000004.00000002.473840072.0000000001480000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: PO #R58490.exe, 00000004.00000002.473840072.0000000001480000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PO #R58490.exe, 00000004.00000002.473840072.0000000001480000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PO #R58490.exe, 00000004.00000002.473840072.0000000001480000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Users\user\Desktop\PO #R58490.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Users\user\Desktop\PO #R58490.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO #R58490.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.PO #R58490.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO #R58490.exe.3c75d68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PO #R58490.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO #R58490.exe.3c75d68.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #R58490.exe PID: 5396, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #R58490.exe PID: 3840, type: MEMORY
Source: Yara match	File source: 4.2.PO #R58490.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO #R58490.exe.3c75d68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PO #R58490.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO #R58490.exe.3c75d68.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\PO #R58490.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\PO #R58490.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #R58490.exe PID: 3840, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.PO #R58490.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO #R58490.exe.3c75d68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PO #R58490.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO #R58490.exe.3c75d68.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #R58490.exe PID: 5396, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO #R58490.exe PID: 3840, type: MEMORY
Source: Yara match	File source: 4.2.PO #R58490.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO #R58490.exe.3c75d68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.PO #R58490.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO #R58490.exe.3c75d68.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection12	File and Directory Permissions Modification1	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	Input Capture11	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Credentials in Registry1	Security Software Discovery211	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing13	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion131	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO #R58490.exe	31%	Virustotal		Browse
PO #R58490.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
PO #R58490.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.PO #R58490.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
4.0.PO #R58490.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
mail.cavilum.cl	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org%x	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://mail.cavilum.cl	0%	Virustotal		Browse
http://mail.cavilum.cl	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://xUGEzQ.com	0%	Avira URL Cloud	safe
https://49Z9TKhGLJ3VymNKQj.org	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://r3.i.lencr.org/0#	0%	URL Reputation	safe
http://r3.i.lencr.org/0#	0%	URL Reputation	safe
http://r3.i.lencr.org/0#	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://r3.i.lencr.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.cavilum.cl	186.64.116.165	true	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org%x	PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://127.0.0.1:HTTP/1.1	PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.letsencrypt.org0	PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.cavilum.cl	PO #R58490.exe, 00000004.00000002.475838803.0000000002D92000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://x1.c.lencr.org/0	PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://x1.i.lencr.org/0	PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://xUGEzQ.com	PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://49Z9TKhGLJ3VymNKQj.org	PO #R58490.exe, 00000004.00000002.475566216.0000000002D31000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	PO #R58490.exe, 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO #R58490.exe, 00000001.00000002.213257824.0000000002BB1000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	PO #R58490.exe, 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp, PO #R58490.exe, 00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	PO #R58490.exe, 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp	false		high
http://r3.i.lencr.org/0#	PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.root-x1.letsencrypt.org0	PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org	PO #R58490.exe, 00000004.00000002.482237302.00000000060A0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
186.64.116.165	mail.cavilum.cl	Chile		52368	ZAMLTDACL	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433199
Start date:	11.06.2021
Start time:	12:47:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO #R58490.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@5/2@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.7% (good quality ratio 1.1%) Quality average: 52.5% Quality standard deviation: 44.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 8
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.64.90.137, 104.43.139.144, 20.82.209.183, 23.218.208.56, 20.54.26.129, 20.82.210.154, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): www.bing.com, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:48:12	API Interceptor	813x Sleep call for process: PO #R58490.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
186.64.116.165	Cotizaci#U00f3n.exe	Get hash	malicious	Browse
	Confirmaci#U00f3n de env#U00edo.exe	Get hash	malicious	Browse
	Purchase Order.exe	Get hash	malicious	Browse
	Order #6762.exe	Get hash	malicious	Browse
	Urgent Quote.exe	Get hash	malicious	Browse
	Quotation.exe	Get hash	malicious	Browse
	6VIB0nWd6H.exe	Get hash	malicious	Browse
	67ONSqP4Cl.exe	Get hash	malicious	Browse
	dKWw5dCC4L.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.cavilum.cl	Cotizaci#U00f3n.exe	Get hash	malicious	Browse	186.64.116.165
	Confirmaci#U00f3n de env#U00edo.exe	Get hash	malicious	Browse	186.64.116.165
	Purchase Order.exe	Get hash	malicious	Browse	186.64.116.165
	Order #6762.exe	Get hash	malicious	Browse	186.64.116.165
	Urgent Quote.exe	Get hash	malicious	Browse	186.64.116.165
	Quotation.exe	Get hash	malicious	Browse	186.64.116.165
	6VIB0nWd6H.exe	Get hash	malicious	Browse	186.64.116.165
	67ONSqP4Cl.exe	Get hash	malicious	Browse	186.64.116.165
	dKWw5dCC4L.exe	Get hash	malicious	Browse	186.64.116.165

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ZAMLTDACL	Cotizaci#U00f3n.exe	Get hash	malicious	Browse	186.64.116.165
	Confirmaci#U00f3n de env#U00edo.exe	Get hash	malicious	Browse	186.64.116.165
	Purchase Order.exe	Get hash	malicious	Browse	186.64.116.165
	Order #6762.exe	Get hash	malicious	Browse	186.64.116.165
	Urgent Quote.exe	Get hash	malicious	Browse	186.64.116.165
	Quotation.exe	Get hash	malicious	Browse	186.64.116.165
	#Ud83d#Udd7b Missed Playback Recording.wav - 1424592794.htm	Get hash	malicious	Browse	186.64.116.45
	Sales_Receipt 5576.xls	Get hash	malicious	Browse	186.64.118.235
	OUTSTANDING_INVOICE_Statement_077117.xlsm	Get hash	malicious	Browse	186.64.116.95
	file.doc	Get hash	malicious	Browse	186.64.118.225
	Ordine -159-pdf.exe	Get hash	malicious	Browse	186.64.118.215
	Rep_#_475.xlsm	Get hash	malicious	Browse	186.64.116.135
	Subconract 504.xlsm	Get hash	malicious	Browse	186.64.116.135
	Webinar.exe	Get hash	malicious	Browse	186.64.118.125
	QC-Telecom.exe	Get hash	malicious	Browse	186.64.118.125
	Io8ic2291n.doc	Get hash	malicious	Browse	190.114.254.163
	k5K4BcM1b5.exe	Get hash	malicious	Browse	186.64.118.110
	0QKsIlEBln.exe	Get hash	malicious	Browse	186.64.118.110
	KuPBIsrqbO.exe	Get hash	malicious	Browse	186.64.118.110
	1D1PBttduH.exe	Get hash	malicious	Browse	186.64.118.110

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO #R58490.exe.log Download File
Process:	C:\Users\user\Desktop\PO #R58490.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Users\user\Desktop\PO #R58490.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	11
Entropy (8bit):	2.663532754804255
Encrypted:	false
SSDEEP:	3:iLE:iLE
MD5:	B24D295C1F84ECBFB566103374FB91C5
SHA1:	6A750D3F8B45C240637332071D34B403FA1FF55A
SHA-256:	4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
SHA-512:	9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
Malicious:	true
Reputation:	high, very likely benign file
Preview:	..127.0.0.1

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.516884488799235
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	PO #R58490.exe
File size:	966656
MD5:	5cff42958cd317e239d575732f7f9114
SHA1:	dec2ad475f2989f5096e02e00b45b265dd10c8c0
SHA256:	8636a1af1afb3fa83c218cbc4a18f37782b835d4ab8b27148d6f99cb849453a3
SHA512:	43cde418b8aa6d0626eb861e980bdeab3b82f472ac56b1e5aaa43f676e7203ecedd1f48813168f82a08aec7665e1fd04fb59586ea32b1679188a572a70c3b11c
SSDEEP:	12288:j4ZHNvC3A163SoAPBsFHDEp4rcVyfab52ZM4e/ZUdtb:jKHNvGAoxFHDEMY92NeBUdt
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.............................2... ...@....@.. .......................@............@................................

File Icon


Icon Hash:	8c8caa8e9692aa00

Static PE Info

General
Entrypoint:	0x4c32fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60C28A90 [Thu Jun 10 21:56:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc32b0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6000	0x2a380	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc325f	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc1304	0xc1400	False	0.897549371362	data	7.85720013511	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xc4000	0x1e8	0x200	False	0.861328125	data	6.62101963076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc6000	0x2a380	0x2a400	False	0.12430658284	data	4.17130427114	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0xc	0x200	False	0.041015625	data	0.0776331623432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc62b0	0x2326	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xc85d8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd8e00	0x94a8	data
RT_ICON	0xe22a8	0x5488	data
RT_ICON	0xe7730	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xeb958	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xedf00	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xeefa8	0x988	data
RT_ICON	0xef930	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xefd98	0x84	data
RT_VERSION	0xefe1c	0x378	data
RT_MANIFEST	0xf0194	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Paul Harris 2016
Assembly Version	251.2.0.0
InternalName	MessageData.exe
FileVersion	251.2.0.0
CompanyName	Paul Harris
LegalTrademarks
Comments	1992 Alpine A 610
ProductName	ReloadManager
ProductVersion	251.2.0.0
FileDescription	ReloadManager
OriginalFilename	MessageData.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 12:49:57.175571918 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:57.441533089 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:57.441771030 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:57.825237989 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:57.826041937 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:58.092140913 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:58.092753887 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:58.362252951 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:58.413614988 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:58.438481092 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:58.715214014 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:58.715286970 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:58.715328932 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:58.715358019 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:58.715523005 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:58.715586901 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:58.717282057 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:58.731540918 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:58.999080896 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:59.054274082 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:59.267050028 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:59.532957077 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:59.535383940 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:49:59.804044962 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:49:59.805532932 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:50:00.077012062 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:00.078165054 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:50:00.345362902 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:00.346252918 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:50:00.613869905 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:00.616465092 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:50:00.882376909 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:00.889287949 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:50:00.889719963 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:50:00.889980078 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:50:00.890233994 CEST	49739	587	192.168.2.3	186.64.116.165
Jun 11, 2021 12:50:01.163569927 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:01.163609028 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:01.163629055 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:01.163767099 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:01.168571949 CEST	587	49739	186.64.116.165	192.168.2.3
Jun 11, 2021 12:50:01.210715055 CEST	49739	587	192.168.2.3	186.64.116.165

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 12:48:03.865456104 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:03.927098989 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:04.362371922 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:04.412439108 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:05.490386963 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:05.540380955 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:06.593909979 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:06.643948078 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:07.930582047 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:07.991899014 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:09.437484980 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:09.487715006 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:10.338879108 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:10.391993999 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:11.536705017 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:11.589678049 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:12.472227097 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:12.525196075 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:13.707720995 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:13.759587049 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:15.591284990 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:15.641803026 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:16.660744905 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:16.711559057 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:17.742645979 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:17.795258045 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:18.991339922 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:19.041392088 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:19.908243895 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:19.958285093 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:21.174634933 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:21.233032942 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:22.188071012 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:22.238146067 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:23.282547951 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:23.333353996 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:24.531217098 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:24.584043026 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:38.599397898 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:38.658766985 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:40.849282026 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:40.910813093 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 11, 2021 12:48:59.011162043 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:48:59.084970951 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 11, 2021 12:49:15.417186022 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:49:15.492758989 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 11, 2021 12:49:20.784035921 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:49:20.844971895 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 11, 2021 12:49:51.665713072 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:49:51.726845026 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 11, 2021 12:49:53.879087925 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:49:53.949002981 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 11, 2021 12:49:56.910500050 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 11, 2021 12:49:57.063219070 CEST	53	56579	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 11, 2021 12:49:56.910500050 CEST	192.168.2.3	8.8.8.8	0x8c7	Standard query (0)	mail.cavilum.cl	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 11, 2021 12:49:57.063219070 CEST	8.8.8.8	192.168.2.3	0x8c7	No error (0)	mail.cavilum.cl		186.64.116.165	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 11, 2021 12:49:57.825237989 CEST	587	49739	186.64.116.165	192.168.2.3	220-blue125.dnsmisitio.net ESMTP Exim 4.93 #2 Fri, 11 Jun 2021 06:49:57 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 11, 2021 12:49:57.826041937 CEST	49739	587	192.168.2.3	186.64.116.165	EHLO 980108
Jun 11, 2021 12:49:58.092140913 CEST	587	49739	186.64.116.165	192.168.2.3	250-blue125.dnsmisitio.net Hello 980108 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jun 11, 2021 12:49:58.092753887 CEST	49739	587	192.168.2.3	186.64.116.165	STARTTLS
Jun 11, 2021 12:49:58.362252951 CEST	587	49739	186.64.116.165	192.168.2.3	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO #R58490.exe PID: 5396 Parent PID: 5796

General

Start time:	12:48:10
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\PO #R58490.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO #R58490.exe'
Imagebase:	0x830000
File size:	966656 bytes
MD5 hash:	5CFF42958CD317E239D575732F7F9114
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.214163603.0000000003BB9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.213317019.0000000002BEF000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: PO #R58490.exe PID: 4724 Parent PID: 5396

General

Start time:	12:48:14
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\PO #R58490.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\PO #R58490.exe
Imagebase:	0x2c0000
File size:	966656 bytes
MD5 hash:	5CFF42958CD317E239D575732F7F9114
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: PO #R58490.exe PID: 3840 Parent PID: 5396

General

Start time:	12:48:15
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\PO #R58490.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO #R58490.exe
Imagebase:	0x640000
File size:	966656 bytes
MD5 hash:	5CFF42958CD317E239D575732F7F9114
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.211277551.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.469305003.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.474545404.0000000002AE1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO #R58490.exe PID: 5396 Parent PID: 5796 PO #R58490.exeCOMMON

Executed Functions

Function 04BF2850, Relevance: 3.1, Strings: 2, Instructions: 602COMMON

Download Yara Rule

Strings

po, xrefs: 04BF2F44
po, xrefs: 04BF2F1F

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID: po$po
API String ID: 0-1814803154
Opcode ID: b5b627f07c090b9a89c86557ce279e863e60a083e6014e8e93bb328531cd7ed1
Instruction ID: 77dfe4e2b9adc878ab50190bc747a376759f289b301b59720ca707e5e8d81042
Opcode Fuzzy Hash: b5b627f07c090b9a89c86557ce279e863e60a083e6014e8e93bb328531cd7ed1
Instruction Fuzzy Hash: 66328A707012059FDB19EF69C850BAEB7F6EF88304F1484A9D68A9B390DB36ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04BF1F87, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db7c44c650af56e2ce2e3597cad302ef39e697b373e20d2b8e0378000ba3f2e0
Instruction ID: 8f4bf0d3256120e19696b7a55a16633ae30b9e11a52ca78aac1d34e94b1d38c0
Opcode Fuzzy Hash: db7c44c650af56e2ce2e3597cad302ef39e697b373e20d2b8e0378000ba3f2e0
Instruction Fuzzy Hash: 3E312775D05218CFDB08DFB4D9487EDBAB0AF09301F1454AAE949B3280D73A6949DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04BF1F98, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79eff2da324559aaaf34884f377a2b43397546b66bd5dbbd8f8ac8118101fa6
Instruction ID: fb76f40a7acf2b1cb4b01d2a389764cb0d624c278b2b5a1dbe4a6ad6ed54ce60
Opcode Fuzzy Hash: a79eff2da324559aaaf34884f377a2b43397546b66bd5dbbd8f8ac8118101fa6
Instruction Fuzzy Hash: 8E313871E05218CFDB08CFB5D848BEDBAF0AF09300F1054AAE909B3280D7766989DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0108C052, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0108C2A6

Strings

po, xrefs: 0108C203
po, xrefs: 0108C1DE

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: HandleModule
String ID: po$po
API String ID: 4139908857-1814803154
Opcode ID: dd418155b4f9e91154dd03d01bba669afdad40fdfb8dbd825202c9be8a1b7086
Instruction ID: dd664746e7e535a69327b57c6fd2864b80214a6315cdad12463b91e7323435fe
Opcode Fuzzy Hash: dd418155b4f9e91154dd03d01bba669afdad40fdfb8dbd825202c9be8a1b7086
Instruction Fuzzy Hash: 347137B0A04B058FEB64DF69D58179ABBF1BF88204F00896ED58ADBB41D734E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0108E0A0, Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0108E22A

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e4d7d612a35c0ba4dbf90bbfb4f1d65d81238172b5326782ab6a3977e90cbca3
Instruction ID: 81a57361316918b150d7a2670b26052f31ba951095bf4641add770ba9faa6041
Opcode Fuzzy Hash: e4d7d612a35c0ba4dbf90bbfb4f1d65d81238172b5326782ab6a3977e90cbca3
Instruction Fuzzy Hash: 255110B1C04249AFDF12CFA9D880ADEBFB1BF49314F19816AE848AB221D7349855CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0108B0F4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0108E22A

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e11533504cb10e9b85a1f7bc0b06527c168a9782a594dd16ae8b0471d629b2e7
Instruction ID: 4530f4167f4531ea4b3b5a84b4c02cdaa1dfa29a0d0094f290ab65d08ef090ad
Opcode Fuzzy Hash: e11533504cb10e9b85a1f7bc0b06527c168a9782a594dd16ae8b0471d629b2e7
Instruction Fuzzy Hash: 8451AEB1D043099FDF14DF9AD884ADEFBB5BF48314F24822AE859AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01087668, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010876F7

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 32168eaa2dfad1315b0029024fc43b4d3c09239c9f619215b357ce9d6d76c5b4
Instruction ID: 3f75768f1619e3fc1e20cd6e09934d2c01fce1c644afd3bd110d6bba281931d8
Opcode Fuzzy Hash: 32168eaa2dfad1315b0029024fc43b4d3c09239c9f619215b357ce9d6d76c5b4
Instruction Fuzzy Hash: AF21F2B59002499FDB00CFAAE484ADEFFF8FB48324F14801AE954A3210D778A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108AFA0, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0108C321,00000800,00000000,00000000), ref: 0108C532

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6709ba1f45c58f2d086cdc0347305dbe95b83a4d4f45a4482bd30d0768a4603f
Instruction ID: a0c7f4e35193bb514d7ee699f994223a138dbb45d4b7aeaf2565152ad532f880
Opcode Fuzzy Hash: 6709ba1f45c58f2d086cdc0347305dbe95b83a4d4f45a4482bd30d0768a4603f
Instruction Fuzzy Hash: 5F2157B68043498FDB10DFAAD444ADEFBF4EF88314F04845AD559A7610D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01087670, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010876F7

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 35b757ff78b806eb6402f819bfbdd5335a4a7f8160a5793d8c6c904babe0dd0d
Instruction ID: fd8cde9beea14a0fca70456c139f714e1da10f70a2a80cf85ab8c75e98fd45d7
Opcode Fuzzy Hash: 35b757ff78b806eb6402f819bfbdd5335a4a7f8160a5793d8c6c904babe0dd0d
Instruction Fuzzy Hash: D321C2B5900249DFDB10CFAAD984ADEFBF8FB48324F14841AE954A7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108AFB8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0108C321,00000800,00000000,00000000), ref: 0108C532

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5ab650febfb1e22ceff9f1e5b3af45498f2f2613c04a8cc12540bf727841edfc
Instruction ID: b31a8f7e96594c7087dfe635ac4a8b570d87f2512ce54fa7be539148577382ee
Opcode Fuzzy Hash: 5ab650febfb1e22ceff9f1e5b3af45498f2f2613c04a8cc12540bf727841edfc
Instruction Fuzzy Hash: A21114B69042098FDB10DF9AD544BDEFBF4EB88314F04842AD559A7600D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108C4C0, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0108C321,00000800,00000000,00000000), ref: 0108C532

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 618ec32db3f6724f2f81467dd42a5ab936d93c8a6666fb9a6fe8e7fcbc205c0f
Instruction ID: bd8836978324db790aff38c963fd339039c62aa1ba5772e4f70dc6bdb92be461
Opcode Fuzzy Hash: 618ec32db3f6724f2f81467dd42a5ab936d93c8a6666fb9a6fe8e7fcbc205c0f
Instruction Fuzzy Hash: 4C1144B28042488FDB10CF9AD444ADEFBF4AB88320F04842AE555A7600D374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BF1AA0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04BF1B05

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b03f259d2d9000b80d7676baaacece107fab96c5fafde84282d22a94df56aa69
Instruction ID: 23ef4df4894ed95e041bef5ea5dada513966f71decc6820e0694642149421ef6
Opcode Fuzzy Hash: b03f259d2d9000b80d7676baaacece107fab96c5fafde84282d22a94df56aa69
Instruction Fuzzy Hash: FC11F2B5800249DFDB10CF9AD985BDEFBF8EB48324F148459E958A7200D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108C240, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0108C2A6

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 298c74786faddabada3b809f773700b5f1eb15cfb6b96d3f96929a91f3dfa7a5
Instruction ID: a2bd45a8356346e5b4c7ee01016b417903128998c07115140c3b7a557f7f7786
Opcode Fuzzy Hash: 298c74786faddabada3b809f773700b5f1eb15cfb6b96d3f96929a91f3dfa7a5
Instruction Fuzzy Hash: F2110FB1C006098FDB10DF9AD544ADEFBF4EB88224F14856AD869A7600D374A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108E760, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0108E7C5

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2dad8cfc6349d5c7fce730460580a9792d4d20a278a59b48924968c942d2a151
Instruction ID: 880efffcf211131d81d34e0dee91b1be988c65faa5cf71c2c111f2700988f89e
Opcode Fuzzy Hash: 2dad8cfc6349d5c7fce730460580a9792d4d20a278a59b48924968c942d2a151
Instruction Fuzzy Hash: 5411F2B59002499FDB10DF9AD488BDEFFF8EB48324F14845AE954A7600D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BF1AA8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04BF1B05

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b61f5202bf5684b9daaa06ad1c136eea1db3fccffa246badafeb3fad42c9c915
Instruction ID: f99c72587b51b9e5e2e0c007b479f4b49cfae77bfec02700fe3a7cd61dad8540
Opcode Fuzzy Hash: b61f5202bf5684b9daaa06ad1c136eea1db3fccffa246badafeb3fad42c9c915
Instruction Fuzzy Hash: 5C11D0B5900349DFDB10CF9AD984BDEFBF8EB48324F14885AE558A7601D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108E768, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0108E7C5

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b61d36733b50e7e885f11ec9f3e50da02136c385432fcc51057f88031e18780c
Instruction ID: 2a774d538499723fe92a59cec8869ae55adf1e399be7390b72093d0fb541b85d
Opcode Fuzzy Hash: b61d36733b50e7e885f11ec9f3e50da02136c385432fcc51057f88031e18780c
Instruction Fuzzy Hash: 0B1100B59002098FDB10DF9AD884BDEFBF8EB88324F10845AD958A7700D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0108C748, Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dbc98949f4f53c9ca24aba4ece4551a40cd88341dae21817034952b6e4dba9
Instruction ID: 9ac404ef97a8bb1c47b673a0095c56a443b993df95916d2b62613cd762cec17f
Opcode Fuzzy Hash: 12dbc98949f4f53c9ca24aba4ece4551a40cd88341dae21817034952b6e4dba9
Instruction Fuzzy Hash: EE5257B1620B068BDB10CF14ED8A19D7FF1FB51328F904218E5A15FA99DBB8654BCF84

Uniqueness

Uniqueness Score: -1.00%

Function 0108AD78, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.213156402.0000000001080000.00000040.00000001.sdmp, Offset: 01080000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659095cc1ad5538598c3808c8028fab10621e115c21bb23afd638e7a3ff1ad54
Instruction ID: 6e8307494a723083d8f77404cf56cc5899083b185343d13a9ff09cd50dba4685
Opcode Fuzzy Hash: 659095cc1ad5538598c3808c8028fab10621e115c21bb23afd638e7a3ff1ad54
Instruction Fuzzy Hash: 44A18032E1061ACFCF05EFA5C8445DEBBF2FF84300B15856AE985BB261DB75A945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 04BF0040, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab984776e2d383f2460c95dcc1936dac3b9e528cbbe32699d298eb5985715dd
Instruction ID: b7dff07e740a7d20fd9772afa66c5c61820586e127340351a0e079650ba397d3
Opcode Fuzzy Hash: 4ab984776e2d383f2460c95dcc1936dac3b9e528cbbe32699d298eb5985715dd
Instruction Fuzzy Hash: 4E612A71E04629CBDB68CF6ACC40799FBB6BBC9300F14D5EAD50DA6214EB345A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04BF0032, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989e64dad451e25a74f32483086c456834ce13405975942064901ba972b02808
Instruction ID: df24718250676bc6bd2ce50a33fbb54c980906d1cdde66dbfdd641417809a765
Opcode Fuzzy Hash: 989e64dad451e25a74f32483086c456834ce13405975942064901ba972b02808
Instruction Fuzzy Hash: 7B51E571E00669CBDB68CF6ACC4479AFBB2BBC9300F14C5EA950DA7214EB345A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04BF0201, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e608fc1f8f546d0356945671e1567b2571c62fb3762ddab5007629d12b8be05d
Instruction ID: 8437b5aa64c36c739d5dce84a9403041dcb300df9d48c2562855e04d8282daf4
Opcode Fuzzy Hash: e608fc1f8f546d0356945671e1567b2571c62fb3762ddab5007629d12b8be05d
Instruction Fuzzy Hash: 56510774E0066ACBCB64CF65CC44B9DBBB2BB89301F1099EAD50DA7214E7345E99CF44

Uniqueness

Uniqueness Score: -1.00%

Function 04BF023D, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7abf59a1b104f7b66aeb1197ab1c1fc9030e00e075c1bb2f74623310c971f440
Instruction ID: 8a735997dbe52f768ee2bfc6f25ac6e00e594ef15e4f853754c953d7405bf632
Opcode Fuzzy Hash: 7abf59a1b104f7b66aeb1197ab1c1fc9030e00e075c1bb2f74623310c971f440
Instruction Fuzzy Hash: 51410770E4066ACADB64CF65CC40B99B7B2BB89300F10DAEAD50DB2614E7345AD98F54

Uniqueness

Uniqueness Score: -1.00%

Function 04BF3538, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378902a59a616f4b0a964985b9110eee54d71e14c4e75f63ea28c01b09486fca
Instruction ID: a00a7cfbd49fd377070a13d06a9eca3fb68f0c393e83b90f088ae8db6ef713a2
Opcode Fuzzy Hash: 378902a59a616f4b0a964985b9110eee54d71e14c4e75f63ea28c01b09486fca
Instruction Fuzzy Hash: 36314B70E09218DFDB14CFA9D848BEDBAF1BF49301F04A0A9E909B7250D735A948CB14

Uniqueness

Uniqueness Score: -1.00%

Function 04BF3528, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.215041485.0000000004BF0000.00000040.00000001.sdmp, Offset: 04BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e910191599834eed83f027c799e3c5f6c003a1efe84f0aec2befd4822c12905a
Instruction ID: 4f712836380eb1d24d2a0063a7129a098afbbca9f47b3f23a2cef37e20484a44
Opcode Fuzzy Hash: e910191599834eed83f027c799e3c5f6c003a1efe84f0aec2befd4822c12905a
Instruction Fuzzy Hash: F9317A70E092189FDB00CFA4D9547EDBBF0BB4A301F0060A9E909B7380D735A948DB14

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO #R58490.exe PID: 3840 Parent PID: 5396 PO #R58490.exeCOMMON

Executed Functions

Function 00B580C0, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B58848

Memory Dump Source

Source File: 00000004.00000002.470825799.0000000000B50000.00000040.00000001.sdmp, Offset: 00B50000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d9c102ca3775cb007a370422668be0c5c25d56e98a9a5ae8343c9741531e08d4
Instruction ID: e61a595d66512ca17c5568f3919b83608e9746eb2532ba8923a4971132b89188
Opcode Fuzzy Hash: d9c102ca3775cb007a370422668be0c5c25d56e98a9a5ae8343c9741531e08d4
Instruction Fuzzy Hash: AB62F975E006188FDB24EF78C8547ADB7F1AF89304F1486A9D54AAB750EF30AE85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00E70A70, Relevance: 7.0, APIs: 4, Instructions: 955libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E70B36
LdrInitializeThunk.NTDLL ref: 00E70CD5

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: e51dd8775597822ecc0dd4dbaa9fc55bfd245b1904963a985a2072aceee40a89
Instruction ID: 0ac81aafbb32213927e3fbaf5fc10a10ca758f941b9792284e644a8a6a9e4364
Opcode Fuzzy Hash: e51dd8775597822ecc0dd4dbaa9fc55bfd245b1904963a985a2072aceee40a89
Instruction Fuzzy Hash: 23A20474A14228CFCB64EF34D9987ADBBB6BB48305F2085EAD509A3350DB349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E70A91, Relevance: 6.6, APIs: 4, Instructions: 629libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E70B36
LdrInitializeThunk.NTDLL ref: 00E70CD5

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 1831547fd378ace8f7c8a2953bcb42e79c5d0ca5b7101c710c58e5b2109f7f79
Instruction ID: eda2dc8619e217a75b1cac30d993e4571529d7c185fcdb1d0d108f12957d4f6e
Opcode Fuzzy Hash: 1831547fd378ace8f7c8a2953bcb42e79c5d0ca5b7101c710c58e5b2109f7f79
Instruction Fuzzy Hash: BB5203B4A15228CFCB64DF34D8887ADBBB6BB48305F2085EAD509A3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E70ACD, Relevance: 6.6, APIs: 4, Instructions: 624libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E70B36
LdrInitializeThunk.NTDLL ref: 00E70CD5

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: ea21b023f276480f7655b797c9495333bb739862fa0fe8f55603b87eed50a3f7
Instruction ID: 7359fbb411644c80f92295fe7d5e02f0c4468584212b7ed91810b0077b68c103
Opcode Fuzzy Hash: ea21b023f276480f7655b797c9495333bb739862fa0fe8f55603b87eed50a3f7
Instruction Fuzzy Hash: 855203B4A15228CFCB64DF34D8887ADBBB6AF48305F2085EAD509A3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E70B12, Relevance: 6.6, APIs: 4, Instructions: 617libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E70B36
LdrInitializeThunk.NTDLL ref: 00E70CD5

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 70b0a889711f6e1c7c43ef0f5111b9102f8a6d90bf5956fb569a8791933231ce
Instruction ID: 15d74b33eb2981f78e9d4b7acbfe0772365136ef813490e22a4ee089f94f154b
Opcode Fuzzy Hash: 70b0a889711f6e1c7c43ef0f5111b9102f8a6d90bf5956fb569a8791933231ce
Instruction Fuzzy Hash: FE5203B4A15228CFCB64DF34D8887ADBBB6AF48305F2085EAD509A3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E70B57, Relevance: 5.1, APIs: 3, Instructions: 610libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E70CD5

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f38a8fcb5d6841f9460806b6d1cd9cf0b4d07d5e3ed3b724a6ff0e633841ba9f
Instruction ID: 5becbd1ffb77d74777f062d5bcd13c03e4bfb3d076ecdda0eb69e582de294287
Opcode Fuzzy Hash: f38a8fcb5d6841f9460806b6d1cd9cf0b4d07d5e3ed3b724a6ff0e633841ba9f
Instruction Fuzzy Hash: C9520474A15228CFCB64DF34D8887ADBBB6AB48305F2085EAD509A3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E70B9C, Relevance: 5.1, APIs: 3, Instructions: 603libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E70CD5

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b84b123cd67b08d7b04d59dd7de7d01fed2a4b1724f7eeeb8af5d0667d60c09
Instruction ID: 5b91e31abc05a967c5d03ee1da28711bad3afb23425edd5803a72db2e4c3de0a
Opcode Fuzzy Hash: 2b84b123cd67b08d7b04d59dd7de7d01fed2a4b1724f7eeeb8af5d0667d60c09
Instruction Fuzzy Hash: F65203B4A15228CFCB64DF34D8887ADBBB6BB48305F2085EAD509A3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E70FF8, Relevance: 3.4, APIs: 2, Instructions: 437COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 02bf021fcc00b29630ebc9bdc088a4c026a1a32fadcbd6520f11145c7eb2af60
Instruction ID: f83c7ff16ff55b28d2cbcb2a961f4da505783340230e446f17aaa1c8506d47a9
Opcode Fuzzy Hash: 02bf021fcc00b29630ebc9bdc088a4c026a1a32fadcbd6520f11145c7eb2af60
Instruction Fuzzy Hash: 8022F674A15228CFCB65DF38D884698B7B6BF49306F2080EED60DA2350DB359E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E7103D, Relevance: 3.4, APIs: 2, Instructions: 430COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d885a580c57302d32d116aadcf6a0cf8f97de4c970dfe3469b93c123e9ba1be3
Instruction ID: 1773deece415622540729e3224c1b5ea3e7e5e85f67efe12f920ead715882e0b
Opcode Fuzzy Hash: d885a580c57302d32d116aadcf6a0cf8f97de4c970dfe3469b93c123e9ba1be3
Instruction Fuzzy Hash: 34220674A15228CFCB65DF38D884698B7B6BF49306F2080EED60DA2350DB359E86CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00E71082, Relevance: 3.4, APIs: 2, Instructions: 423COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b1a5d4f946cb20b44227fda260f1c5e5525585c20c4e58cb1c14b7512fd41c86
Instruction ID: 1cac37157823a13dcb1ae1307f4e9000a78619697f4e71c6e96689c98c1ce53c
Opcode Fuzzy Hash: b1a5d4f946cb20b44227fda260f1c5e5525585c20c4e58cb1c14b7512fd41c86
Instruction Fuzzy Hash: 1812F674A15228CFCB65DF34D984698B7B6BF48306F2080EED60DA2350DB359E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E710C7, Relevance: 3.4, APIs: 2, Instructions: 416COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4d944c2cd0fff82ae9f5a238ee3f7bea42816ba92b2b8a765a04b3a1ec39d773
Instruction ID: 239f0fc26dc7d925e6a92107ceb7377cba165c470978057515a33223272110c1
Opcode Fuzzy Hash: 4d944c2cd0fff82ae9f5a238ee3f7bea42816ba92b2b8a765a04b3a1ec39d773
Instruction Fuzzy Hash: 0B12F6B4A15228CFCB65DF38D884698B7B6BF48306F2081EED60DA2350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E7110C, Relevance: 3.4, APIs: 2, Instructions: 409COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 89dd5e0d395995c71070b9c6e43d40f1766dce1291daf89c44ae7e1574e2491d
Instruction ID: e5757cc914e27403b7255753d6c8ee53df9603c55af8b19f51b9e036d286e7b5
Opcode Fuzzy Hash: 89dd5e0d395995c71070b9c6e43d40f1766dce1291daf89c44ae7e1574e2491d
Instruction Fuzzy Hash: 1512F6B4A15228CFCB65DF38D884698B7B6BB48306F2081EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71151, Relevance: 3.4, APIs: 2, Instructions: 402COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ad2fcc90c52e3edbb9d036a8c15ede94d54b7a5c6ce87d5bf4d7ea2db3efc55c
Instruction ID: a8d937d5baf695664ec306b0c2c9f2ecfe1a0110687191aefebd3e79fd169a9b
Opcode Fuzzy Hash: ad2fcc90c52e3edbb9d036a8c15ede94d54b7a5c6ce87d5bf4d7ea2db3efc55c
Instruction Fuzzy Hash: 8312F6B4A15228CFCB65DF38D884698B7B6BB48305F2081EED60DA3350DB359E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71196, Relevance: 3.4, APIs: 2, Instructions: 393COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 99f21f45110112449f092d686bd6ea9f079b247510bf6287c1e578b9819f8bca
Instruction ID: bc5962a4df9efabc80b169819dff053ca2e600e9adf6745dabffe7efb1a0f616
Opcode Fuzzy Hash: 99f21f45110112449f092d686bd6ea9f079b247510bf6287c1e578b9819f8bca
Instruction Fuzzy Hash: 8712F7B4A15228CFCB65DF38D984698B7B6BB48305F2080EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E711D2, Relevance: 3.4, APIs: 2, Instructions: 388COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2ee1130a5562d65150d534c77a139c6d7fb63dbc058d5cf9d49cef8806b03d6e
Instruction ID: ee1b990785dd4b0c8e63f5c23ec08736d24999539c37f7f13f296b2375f0ce0b
Opcode Fuzzy Hash: 2ee1130a5562d65150d534c77a139c6d7fb63dbc058d5cf9d49cef8806b03d6e
Instruction Fuzzy Hash: 5C02F7B4A15228CFCB64DF38D884698B7B6BB48305F2081EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71217, Relevance: 3.4, APIs: 2, Instructions: 381COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 38312bbdc9b5117ab22bfb62ec3e6186d325ff727a5d91940ec4960305761e09
Instruction ID: ad39b3485674ed5de61e2192d4ecf45bdb747ef42c435379a97a028a4787360b
Opcode Fuzzy Hash: 38312bbdc9b5117ab22bfb62ec3e6186d325ff727a5d91940ec4960305761e09
Instruction Fuzzy Hash: 6002F7B4A15228CFCB64DF38D884698B7B6BB48305F2085EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E7125C, Relevance: 3.4, APIs: 2, Instructions: 374COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f130c3238193f972957eb3f138f001e27b66a72f8a9a41f9baada19b0a2f23b1
Instruction ID: 683f234dfec9e21bd33e68daaa9998b2c3b939a0230a04b0484de659e58346c9
Opcode Fuzzy Hash: f130c3238193f972957eb3f138f001e27b66a72f8a9a41f9baada19b0a2f23b1
Instruction Fuzzy Hash: D402F6B4A15228CFCB64DF38D884698B7B6BB48305F2085EED60DA3350DB359E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E712A1, Relevance: 3.4, APIs: 2, Instructions: 365COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fc58e32f73ba9703ceb6d28cb8316f22debffece282de6b8f88351829ac866cb
Instruction ID: 1693baf0ce7501e6b52a1882fc172df356e416123849e5138657eb80cc540556
Opcode Fuzzy Hash: fc58e32f73ba9703ceb6d28cb8316f22debffece282de6b8f88351829ac866cb
Instruction Fuzzy Hash: CD0207B4A15229CFCB64DF38D884698B7B6AB48305F2080EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E712DD, Relevance: 3.4, APIs: 2, Instructions: 360COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5b2defd262148cc4f5292b2c0fc068bf0c5b8d96405b1803d1c0668e05a088a6
Instruction ID: 993aeb8fe6588098ff0077a99b4208a79e4acbe711b25a7461c0fe361c8b0503
Opcode Fuzzy Hash: 5b2defd262148cc4f5292b2c0fc068bf0c5b8d96405b1803d1c0668e05a088a6
Instruction Fuzzy Hash: F40207B4A15229CFCB64DF38D884698B7B6BB48305F2085EED60DA3350DB349E86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71322, Relevance: 3.4, APIs: 2, Instructions: 351COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a5731e86f48d3a3e26c2da7eeea5666f03e40ed05b9d40fa094ba69f20c2b905
Instruction ID: d21fe1ebb4cf0bccc933fdc41e388615d009edad927ea72db4f35316fe1c8e51
Opcode Fuzzy Hash: a5731e86f48d3a3e26c2da7eeea5666f03e40ed05b9d40fa094ba69f20c2b905
Instruction Fuzzy Hash: AAF107B4A15229CFCB64DF34D8847A8B7B6AB88305F2084EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E7135E, Relevance: 3.3, APIs: 2, Instructions: 346COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d1779fcbd37b18aaab46238e8b55b34ea8839bb3a04ab3c309f60380a501fe20
Instruction ID: 744c285c91671167f82900a1768ead9b5d862c74eedd1f5f50f1a7e04fa3f8f9
Opcode Fuzzy Hash: d1779fcbd37b18aaab46238e8b55b34ea8839bb3a04ab3c309f60380a501fe20
Instruction Fuzzy Hash: 93F117B4A14229CFCB64DF34C8847A8B7B6AB88305F2085EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E713A3, Relevance: 3.3, APIs: 2, Instructions: 339COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9756fbfa1db0c89542ec7c352baf6b6c67ff2dd591d269f8ed6dfe5c089ff0dd
Instruction ID: 1f2d3fa0779c275944ba1c0176164a4d0b5be581253941f9bdcbd6095c2f3c34
Opcode Fuzzy Hash: 9756fbfa1db0c89542ec7c352baf6b6c67ff2dd591d269f8ed6dfe5c089ff0dd
Instruction Fuzzy Hash: BAF107B4A15229CFCB64DF34C9847A8B7B6AB88305F2084EED609A3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E713E8, Relevance: 3.3, APIs: 2, Instructions: 332COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8dd2bbda0234ce80537432763e75741ebb5fce52205fd6592c703015c9aba4da
Instruction ID: 8f2aa2408a2b352ee54f24bc0acc65bbb0d95b72773ccd64415d0f7fdd397659
Opcode Fuzzy Hash: 8dd2bbda0234ce80537432763e75741ebb5fce52205fd6592c703015c9aba4da
Instruction Fuzzy Hash: 5CF107B4A14229CFCB64DF34C8847ACB7B6AB88305F2085EED609A3340DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E7142D, Relevance: 3.3, APIs: 2, Instructions: 325COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2ce1efdde9e0ff718348f32945042a287fb534b11728388de966818d7f94a56e
Instruction ID: 6b2e54f99b7d247a129ef1301799ef42f83b84ab574e69d0241cf6d80e7fae86
Opcode Fuzzy Hash: 2ce1efdde9e0ff718348f32945042a287fb534b11728388de966818d7f94a56e
Instruction Fuzzy Hash: C0E107B4A15229CFCB64DB24C8947A8B7B6AB88305F2085EED609A3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71475, Relevance: 3.3, APIs: 2, Instructions: 316COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 13bd90180d4ce89181e08a993950bef0b4ced12b923a7ab652e6d1e5df53f334
Instruction ID: de53a99212988e00abfb01c8bc882e760e756c99aa900b41dc1dd73103816d2d
Opcode Fuzzy Hash: 13bd90180d4ce89181e08a993950bef0b4ced12b923a7ab652e6d1e5df53f334
Instruction Fuzzy Hash: 95E108B4A14229CFCB64DB24C8947ACB7B6AB88305F2085EED60DA3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E714B1, Relevance: 3.3, APIs: 2, Instructions: 311COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 976b897002f41cba195ea5ed951dbfae924ecc78a8ac37ea194b3b0880a78b53
Instruction ID: 70c5e66c0216f1518449c24d8d28fd664345068d90d10b998634662ec4ad5fa2
Opcode Fuzzy Hash: 976b897002f41cba195ea5ed951dbfae924ecc78a8ac37ea194b3b0880a78b53
Instruction Fuzzy Hash: C6E107B4A14229CFCB64DF24C9947ADB7B6AB88305F2084EED60DA3340DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E714F9, Relevance: 3.3, APIs: 2, Instructions: 304COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9e845f0b20bdde577d8bcc24b58bcbbc2f96a4daf0489243aa4bdbbe957f8893
Instruction ID: 17db637ae597d8ab3a595523ab0c50bb62df3773878fafb0622cd87dee90e8f4
Opcode Fuzzy Hash: 9e845f0b20bdde577d8bcc24b58bcbbc2f96a4daf0489243aa4bdbbe957f8893
Instruction Fuzzy Hash: 94D107B4A14229CFCB64DF24C8947A9B7B6AB88305F2085EED60DA3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71541, Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: acc198218fd6d714bed3b105500189c1a9c49571e2a4e96a377a981da6db244b
Instruction ID: 9dfdea18d0eeaa2588d5fee8b970fd74856add743e0370b2fb3b10e9fada91fe
Opcode Fuzzy Hash: acc198218fd6d714bed3b105500189c1a9c49571e2a4e96a377a981da6db244b
Instruction Fuzzy Hash: 43D109B4A15229CFCB64DF34C8847A9B7B6AB88305F2084EED60DA3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71589, Relevance: 3.3, APIs: 2, Instructions: 290COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 09918a8f7b733f303dfc4d35fa962e31690b56963f96f29e3eff0279e2be4adf
Instruction ID: c4d5d9a2d9b1a3f64ccfd5ccafa9fe634f6f4ae15ad032fdb24aaecee8e545b5
Opcode Fuzzy Hash: 09918a8f7b733f303dfc4d35fa962e31690b56963f96f29e3eff0279e2be4adf
Instruction Fuzzy Hash: A6D108B4A14229CFCB64DF34C9847A9B7B6AB88305F2084EED60DA3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E715D1, Relevance: 3.3, APIs: 2, Instructions: 283COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 33fa3eb1dc62bdb20253b1a0285ba53ff7ec1e5c6d6af44f5ccc0e55cc88eab7
Instruction ID: 13b884decfe0a3bf2d3c89f60abf01c979d344036aea4f77e7157d74f02468af
Opcode Fuzzy Hash: 33fa3eb1dc62bdb20253b1a0285ba53ff7ec1e5c6d6af44f5ccc0e55cc88eab7
Instruction Fuzzy Hash: FAD108B4A14229CFCB64DF34C9847A9B7B6AB88305F2084EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71619, Relevance: 3.3, APIs: 2, Instructions: 276COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71640
KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 020b03d05891fc5a0258a21ccbdc034b8181905f384eef058ec6cf433c6556b0
Instruction ID: 6a5847e7c8d886e377f775fd67b243c2e917e71f9803763fe67afea2ab51aad3
Opcode Fuzzy Hash: 020b03d05891fc5a0258a21ccbdc034b8181905f384eef058ec6cf433c6556b0
Instruction Fuzzy Hash: C9C107B4A14229CFCB64DB34C8947ADB7B6AB88305F2084EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F2CA38, Relevance: 2.0, APIs: 1, Instructions: 539libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F2CF9F

Memory Dump Source

Source File: 00000004.00000002.473669845.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f855f6b18dd05dbd16159dac9ab7b48873174395cdea3bffed5a33e1277dff49
Instruction ID: 1b8cd890e0b1e73959e065bfd49de1725f605544a01119b597b0e8fc9b340393
Opcode Fuzzy Hash: f855f6b18dd05dbd16159dac9ab7b48873174395cdea3bffed5a33e1277dff49
Instruction Fuzzy Hash: 1E12F330F042598FDB20DBA8E884BADB7B1EF45310F15896AE419DB391DB34EC45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E71677, Relevance: 1.8, APIs: 1, Instructions: 265COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5246c2a0db171db4265788aa0a2898434d24eeefad126ab619f7bb43b47cfdc4
Instruction ID: a33692639df6087c25a724972e9e07828953543b7490b69b936314b4a885799b
Opcode Fuzzy Hash: 5246c2a0db171db4265788aa0a2898434d24eeefad126ab619f7bb43b47cfdc4
Instruction Fuzzy Hash: 43C108B4A15229CFCB64DB24C8947ADB7B2AF88305F2084EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E716BF, Relevance: 1.8, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7365a6626caf9965b1fe9057ef9ec3efd69dfd07bd365595b8e1b2d721fdda48
Instruction ID: 245481a8d4432ca77719355c865a863fda929dd942f3bf4d183bdf5966b05667
Opcode Fuzzy Hash: 7365a6626caf9965b1fe9057ef9ec3efd69dfd07bd365595b8e1b2d721fdda48
Instruction Fuzzy Hash: ABB108B4A14229CFCB64DB24C8947ADB7B6AF88305F2084EED60DA3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71707, Relevance: 1.8, APIs: 1, Instructions: 251COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 663399dbad3a641d3eeacd61b57066cfcf157bd11a85388ff39e1f4d2acb45b1
Instruction ID: f9a4cd464e538a385e95fcc0fbf369372490fb0867d841d9f6095ad30cfdb47c
Opcode Fuzzy Hash: 663399dbad3a641d3eeacd61b57066cfcf157bd11a85388ff39e1f4d2acb45b1
Instruction Fuzzy Hash: 2BB117B4A15229CFCB64DB24C8947ADB7B6AF88305F2084EED60DA3340DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E7174F, Relevance: 1.7, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 54c55cc2ae5a866aa781e42cc51c3a084ba0485e83bb89e0a66d2bf4bd92b581
Instruction ID: 396638038c7dfebb550fc961f712e352b1c6dd353cc23752a1c2c326edb2a695
Opcode Fuzzy Hash: 54c55cc2ae5a866aa781e42cc51c3a084ba0485e83bb89e0a66d2bf4bd92b581
Instruction Fuzzy Hash: 5BB107B4A14229CFCB64DB24C8947ADB7B6AF88305F2084EED60DA3350DB359E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E71797, Relevance: 1.7, APIs: 1, Instructions: 237COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 53faf00af54449e7f154a1609c4eca16e99221770dacd67038b0b0ffd2e1913b
Instruction ID: 3fc1bee16735211affdaee0a325b38e6de909c87195ccb346f0ec476abcbfc47
Opcode Fuzzy Hash: 53faf00af54449e7f154a1609c4eca16e99221770dacd67038b0b0ffd2e1913b
Instruction Fuzzy Hash: 06A108B4A152298FCB64DB34C8947ADB7B6AF88305F2084EED60DA3350DB349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E717DF, Relevance: 1.7, APIs: 1, Instructions: 230COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E71806

Memory Dump Source

Source File: 00000004.00000002.473540735.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e992c66a781a449f24bd4a927b001829657c7a9eb2095d04fe6f72f7f7469249
Instruction ID: e2cdce210369d4f8bb73176e87a74032b577c8876d0ff36243b4f778ed55809a
Opcode Fuzzy Hash: e992c66a781a449f24bd4a927b001829657c7a9eb2095d04fe6f72f7f7469249
Instruction Fuzzy Hash: C3A108B4A152298FCB64DB34C8947ADB6B6AF88305F2084EED60DA3350DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F2E5F0, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F2E631

Memory Dump Source

Source File: 00000004.00000002.473669845.0000000000F20000.00000040.00000001.sdmp, Offset: 00F20000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f341ea3be91a527a0b6e90fd510e5307180f7328a275450107d27a8a525076e5
Instruction ID: 8aa77bb241e1ac77ea0918bc699e5e5fff5a01a935cbcd4bf0cc77d75cb9492c
Opcode Fuzzy Hash: f341ea3be91a527a0b6e90fd510e5307180f7328a275450107d27a8a525076e5
Instruction Fuzzy Hash: 14614D34E102199BDB14EBB4E8597AEBBF2AF84304F208829E405E7390DF359C45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F309D8, Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.473701023.0000000000F30000.00000040.00000001.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d206a5cdb0541eb28d1f8dba6f1ff19c5bc073d2cd2f947b571f875d33f38b
Instruction ID: 78f1cc806c883f183fadcd692de5df2dbcaa9bde385d8a63ee251966f24acd62
Opcode Fuzzy Hash: d0d206a5cdb0541eb28d1f8dba6f1ff19c5bc073d2cd2f947b571f875d33f38b
Instruction Fuzzy Hash: CB412272E043598FCB00CFA9D8102DEBBF4EF89324F09856AD904E7240EB389945CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F31AE0, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00F31B63

Memory Dump Source

Source File: 00000004.00000002.473701023.0000000000F30000.00000040.00000001.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 4dbf5bc5f070f974af3bc44a3344726a2b1d7adcb0d24f4fceb6ccdab6d31127
Instruction ID: 116408460fe9506d0d4e9729d62350ff478b2f1d6599a80e0d7a9bc0544fe810
Opcode Fuzzy Hash: 4dbf5bc5f070f974af3bc44a3344726a2b1d7adcb0d24f4fceb6ccdab6d31127
Instruction Fuzzy Hash: F121F3759042099FCB14CFA9D844BDEFBF5EB88324F14842AE415A7250DB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F31AE8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00F31B63

Memory Dump Source

Source File: 00000004.00000002.473701023.0000000000F30000.00000040.00000001.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c3beff44fa2fabd4f62726e05a677f5e0cccbe465f568d829b02e233956c0ca2
Instruction ID: 507e6c7944b09112cf517e02b055f08ad8f880fa540d6a0015f0a274628e458a
Opcode Fuzzy Hash: c3beff44fa2fabd4f62726e05a677f5e0cccbe465f568d829b02e233956c0ca2
Instruction Fuzzy Hash: F4211575D002099FCB10CF99C844BDEFBF5FB88324F10842AD415A7250DB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F30AA8, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00F30B17

Memory Dump Source

Source File: 00000004.00000002.473701023.0000000000F30000.00000040.00000001.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 529a7317d8d8c195e6b32f6d38aed6a281e4046753d475d0247b87570ac237fa
Instruction ID: 67b9e897c2ea60eb30572e8e55d85d9f6b2e5fa225d3ee9fe071cfa31aa9b956
Opcode Fuzzy Hash: 529a7317d8d8c195e6b32f6d38aed6a281e4046753d475d0247b87570ac237fa
Instruction Fuzzy Hash: 241103B1D006199BCB00CF9AC844BDEFBF8EF48324F15816AD818A7240D778A955CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A648, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00F3A629,00000800), ref: 00F3A6BA

Memory Dump Source

Source File: 00000004.00000002.473701023.0000000000F30000.00000040.00000001.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8a9d1c76b3f443d61388714bb49399c6ee031c95cfafc5114bfb9ea1fcaf3ed0
Instruction ID: 0bba471c5251f96d4428b385981dc542f48dfa3b649e9d59e30d480a4f83e91d
Opcode Fuzzy Hash: 8a9d1c76b3f443d61388714bb49399c6ee031c95cfafc5114bfb9ea1fcaf3ed0
Instruction Fuzzy Hash: 0C1114B6D002098FCB10CF9AC444BDEFBF4EB89360F14842ED955A7200C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F393CC, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00F3A629,00000800), ref: 00F3A6BA

Memory Dump Source

Source File: 00000004.00000002.473701023.0000000000F30000.00000040.00000001.sdmp, Offset: 00F30000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f29a21daeb114f44b919260c6feb8ca48dc5ce0495e3b4d8e47764c5b5889bf1
Instruction ID: e9f6f496efd608f49d2414103cf9059827e6399f12e2e5e0647a382d792ff2a4
Opcode Fuzzy Hash: f29a21daeb114f44b919260c6feb8ca48dc5ce0495e3b4d8e47764c5b5889bf1
Instruction Fuzzy Hash: D11114B6D002098FCB10DF9AC444BDEFBF4EB99320F15842ED955A7600C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO #R58490.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre