Play interactive tour

Edit tour

Analysis Report Following abusive email letter .exe

Overview

General Information

Sample Name:	Following abusive email letter .exe
Analysis ID:	433262
MD5:	368a0ec11590e137b1cd5405cd0591db
SHA1:	48c11cb189d44ae0c30b32f0aba41d4c52568c44
SHA256:	c0b43d27c73d2a64f25a1e095a10dcf339635d9c48c6d612b37eba084341e103
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Following abusive email letter .exe (PID: 3888 cmdline: 'C:\Users\user\Desktop\Following abusive email letter .exe' MD5: 368A0EC11590E137B1CD5405CD0591DB)

schtasks.exe (PID: 4084 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUGIHQGciwlxDd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1045.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 3352 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Info": "ftp://files.000webhost.com/zincocomputer147"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000000.209849248.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.209849248.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.468629357.000000000308F000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3352	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Following abusive email letter .exe PID: 3888	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Following abusive email letter .exe PID: 3888	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
4.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Following abusive email letter .exe.4183028.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Following abusive email letter .exe.4183028.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.Following abusive email letter .exe.4183028.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Following abusive email letter .exe.4183028.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Process Start Without DLL

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Following abusive email letter .exe' , ParentImage: C:\Users\user\Desktop\Following abusive email letter .exe, ParentProcessId: 3888, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 3352

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Following abusive email letter .exe' , ParentImage: C:\Users\user\Desktop\Following abusive email letter .exe, ParentProcessId: 3888, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 3352

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Info": "ftp://files.000webhost.com/zincocomputer147"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\VUGIHQGciwlxDd.exe

ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Show sources

Source: Following abusive email letter .exe	Virustotal: Detection: 32%			Perma Link
Source: Following abusive email letter .exe	ReversingLabs: Detection: 32%

Source: 4.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: Following abusive email letter .exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Following abusive email letter .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: OpenExistingResult.pdb source: Following abusive email letter .exe
Source:	Binary string: OpenExistingResult.pdbH source: Following abusive email letter .exe

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E12A38
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E12A29
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E13FC8
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02E13FD8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.3:49741 -> 145.14.145.177:21
Source: Traffic	Snort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.3:49742 -> 145.14.145.177:30339

Source: global traffic

TCP traffic: 192.168.2.3:49742 -> 145.14.145.177:30339

Source: Joe Sandbox View

IP Address: 145.14.145.177 145.14.145.177

Source: Joe Sandbox View

ASN Name: AWEXUS AWEXUS

Source: unknown

FTP traffic detected: 145.14.145.177:21 -> 192.168.2.3:49741 220 ProFTPD Server (000webhost.com) [::ffff:145.14.145.177]

Source: unknown

DNS traffic detected: queries for: files.000webhost.com

Source: RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: ftp://files.000webhost.com/zincocomputer147STORLengthWriteCloseGetBytesOpera
Source: RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://CqZTYA.com
Source: RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000004.00000002.468629357.000000000308F000.00000004.00000001.sdmp	String found in binary or memory: http://JC95xwwqEnXy3nGe.net
Source: RegSvcs.exe, 00000004.00000002.468629357.000000000308F000.00000004.00000001.sdmp	String found in binary or memory: http://JC95xwwqEnXy3nGe.netL
Source: RegSvcs.exe, 00000004.00000002.469009805.0000000003111000.00000004.00000001.sdmp	String found in binary or memory: http://files.000webhost.com
Source: Following abusive email letter .exe, 00000000.00000002.211148958.00000000030C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.468959194.0000000003103000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000004.00000002.469009805.0000000003111000.00000004.00000001.sdmp	String found in binary or memory: http://us-east-1.route-1000.000webhost.awex.io
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Following abusive email letter .exe, 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 4.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF52F2392u002d8C75u002d4729u002dA1E6u002d025BFAA162F9u007d/CB8ACA7Au002d9CEBu002d462Du002dA49Bu002dF669480A59B6.cs

Large array initialization: .cctor: array initializer size 11932

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_00A7264C	0_2_00A7264C
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_016C9AA8	0_2_016C9AA8
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_016CC750	0_2_016CC750
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_016C9948	0_2_016C9948
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_02E132F0	0_2_02E132F0
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_02E106E0	0_2_02E106E0
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_02E106D0	0_2_02E106D0
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_02E10B70	0_2_02E10B70
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_02E10B5F	0_2_02E10B5F
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A3EED0	0_2_05A3EED0
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A3F650	0_2_05A3F650
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A31D28	0_2_05A31D28
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A35D31	0_2_05A35D31
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A31D38	0_2_05A31D38
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A33519	0_2_05A33519
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A35D40	0_2_05A35D40
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A31480	0_2_05A31480
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A34468	0_2_05A34468
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A3AC70	0_2_05A3AC70
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A34458	0_2_05A34458
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A3A7F0	0_2_05A3A7F0
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A32720	0_2_05A32720
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A32730	0_2_05A32730
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A31769	0_2_05A31769
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A31778	0_2_05A31778
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A39F50	0_2_05A39F50
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A356E0	0_2_05A356E0
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A356D2	0_2_05A356D2
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A33610	0_2_05A33610
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A32189	0_2_05A32189
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A32198	0_2_05A32198
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A3C198	0_2_05A3C198
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A30920	0_2_05A30920
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A30930	0_2_05A30930
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A39948	0_2_05A39948
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A358E8	0_2_05A358E8
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A358D8	0_2_05A358D8
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A35039	0_2_05A35039
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A36805	0_2_05A36805
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A36808	0_2_05A36808
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A32040	0_2_05A32040
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A35048	0_2_05A35048
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A35B38	0_2_05A35B38
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A35B48	0_2_05A35B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BA0820	4_2_00BA0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BAE018	4_2_00BAE018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BA8D70	4_2_00BA8D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BA3FC8	4_2_00BA3FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BA0CB0	4_2_00BA0CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BA94C8	4_2_00BA94C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BA2C08	4_2_00BA2C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BAD9E8	4_2_00BAD9E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BA8B50	4_2_00BA8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BB00E0	4_2_00BB00E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BBA870	4_2_00BBA870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BB2920	4_2_00BB2920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BB7AB0	4_2_00BB7AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BB6678	4_2_00BB6678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BB6BF8	4_2_00BB6BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BBEF30	4_2_00BBEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BB0720	4_2_00BB0720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BB2D38	4_2_00BB2D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BB87A0	4_2_00BB87A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BCB060	4_2_00BCB060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BC2D50	4_2_00BC2D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BCDEC6	4_2_00BCDEC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BC1FF0	4_2_00BC1FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BCA720	4_2_00BCA720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BC2768	4_2_00BC2768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BC9DB8	4_2_00BC9DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_010B47A0	4_2_010B47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_010B479F	4_2_010B479F

Source: Following abusive email letter .exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VUGIHQGciwlxDd.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Following abusive email letter .exe, 00000000.00000002.215243237.000000000C230000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Following abusive email letter .exe
Source: Following abusive email letter .exe, 00000000.00000002.215243237.000000000C230000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Following abusive email letter .exe
Source: Following abusive email letter .exe, 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs Following abusive email letter .exe
Source: Following abusive email letter .exe, 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTGqXBSLBNqFAlVDcDrdeyUgg.exe4 vs Following abusive email letter .exe
Source: Following abusive email letter .exe, 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Following abusive email letter .exe
Source: Following abusive email letter .exe, 00000000.00000002.214907946.000000000C130000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Following abusive email letter .exe
Source: Following abusive email letter .exe, 00000000.00000000.199906618.0000000000B50000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOpenExistingResult.exe< vs Following abusive email letter .exe
Source: Following abusive email letter .exe	Binary or memory string: OriginalFilenameOpenExistingResult.exe< vs Following abusive email letter .exe

Source: Following abusive email letter .exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Following abusive email letter .exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VUGIHQGciwlxDd.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Following abusive email letter .exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Following abusive email letter .exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: VUGIHQGciwlxDd.exe.0.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: VUGIHQGciwlxDd.exe.0.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.RegSvcs.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/4@2/1

Source: C:\Users\user\Desktop\Following abusive email letter .exe

File created: C:\Users\user\AppData\Roaming\VUGIHQGciwlxDd.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4884:120:WilError_01

Source: C:\Users\user\Desktop\Following abusive email letter .exe

File created: C:\Users\user\AppData\Local\Temp\tmp1045.tmp

Jump to behavior

Source: Following abusive email letter .exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Following abusive email letter .exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Following abusive email letter .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: Following abusive email letter .exe	Virustotal: Detection: 32%
Source: Following abusive email letter .exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\Following abusive email letter .exe

File read: C:\Users\user\Desktop\Following abusive email letter .exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Following abusive email letter .exe 'C:\Users\user\Desktop\Following abusive email letter .exe'
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUGIHQGciwlxDd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1045.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUGIHQGciwlxDd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1045.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\Following abusive email letter .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Following abusive email letter .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Following abusive email letter .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Following abusive email letter .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Following abusive email letter .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: OpenExistingResult.pdb source: Following abusive email letter .exe
Source:	Binary string: OpenExistingResult.pdbH source: Following abusive email letter .exe

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: Following abusive email letter .exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: VUGIHQGciwlxDd.exe.0.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_00A75DCB pushfd ; retf	0_2_00A75ED9
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_016CE8F0 pushfd ; ret	0_2_016CE8F1
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_02E132F0 push 840617CBh; retf	0_2_02E13701
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A36DE6 push esi; ret	0_2_05A36DE7
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Code function: 0_2_05A37790 push esp; iretd	0_2_05A37792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BCC4E0 pushfd ; iretd	4_2_00BCCA66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BC2768 pushfd ; iretd	4_2_00BC2B86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BC7A37 push edi; retn 0000h	4_2_00BC7A39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BC1E58 pushfd ; iretd	4_2_00BC1E66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00BC2B78 pushfd ; iretd	4_2_00BC2B86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_010B451C push ss; iretd	4_2_010B4526

Source: initial sample	Static PE information: section name: .text entropy: 7.85847754402
Source: initial sample	Static PE information: section name: .text entropy: 7.85847754402

Source: Following abusive email letter .exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'SUpqes', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: VUGIHQGciwlxDd.exe.0.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'SUpqes', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Source: C:\Users\user\Desktop\Following abusive email letter .exe

File created: C:\Users\user\AppData\Roaming\VUGIHQGciwlxDd.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\Following abusive email letter .exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUGIHQGciwlxDd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1045.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Following abusive email letter .exe PID: 3888, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Following abusive email letter .exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3521			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6262			Jump to behavior

Source: C:\Users\user\Desktop\Following abusive email letter .exe TID: 6040	Thread sleep time: -101485s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe TID: 2396	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Thread delayed: delay time: 101485	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.472242636.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000004.00000002.472242636.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000004.00000002.472242636.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000004.00000002.472641648.0000000005FBA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000004.00000002.472242636.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_00BAE018 LdrInitializeThunk,

4_2_00BAE018

Source: C:\Users\user\Desktop\Following abusive email letter .exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUGIHQGciwlxDd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1045.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.466731473.0000000001860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.466731473.0000000001860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.466731473.0000000001860000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000004.00000002.466731473.0000000001860000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Following abusive email letter .exe	Queries volume information: C:\Users\user\Desktop\Following abusive email letter .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Following abusive email letter .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Following abusive email letter .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.209849248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Following abusive email letter .exe.4183028.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Following abusive email letter .exe.4183028.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.209849248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.468629357.000000000308F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3352, type: MEMORY
Source: Yara match	File source: Process Memory Space: Following abusive email letter .exe PID: 3888, type: MEMORY
Source: Yara match	File source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Following abusive email letter .exe.4183028.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Following abusive email letter .exe.4183028.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3352, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.209849248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Following abusive email letter .exe.4183028.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Following abusive email letter .exe.4183028.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.209849248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.468629357.000000000308F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3352, type: MEMORY
Source: Yara match	File source: Process Memory Space: Following abusive email letter .exe PID: 3888, type: MEMORY
Source: Yara match	File source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Following abusive email letter .exe.4183028.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Following abusive email letter .exe.4183028.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection12	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Alternative Protocol1	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Deobfuscate/Decode Files or Information1	Credentials in Registry1	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion141	Cached Domain Credentials	Virtualization/Sandbox Evasion141	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection12	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Following abusive email letter .exe	32%	Virustotal		Browse
Following abusive email letter .exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\VUGIHQGciwlxDd.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
4.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
us-east-1.route-1000.000webhost.awex.io	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://CqZTYA.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://JC95xwwqEnXy3nGe.net	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://JC95xwwqEnXy3nGe.netL	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://us-east-1.route-1000.000webhost.awex.io	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us-east-1.route-1000.000webhost.awex.io	145.14.145.177	true	true	1%, Virustotal, Browse	unknown
files.000webhost.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://CqZTYA.com	RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://JC95xwwqEnXy3nGe.net	RegSvcs.exe, 00000004.00000002.468629357.000000000308F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://JC95xwwqEnXy3nGe.netL	RegSvcs.exe, 00000004.00000002.468629357.000000000308F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://files.000webhost.com	RegSvcs.exe, 00000004.00000002.469009805.0000000003111000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Following abusive email letter .exe, 00000000.00000002.211148958.00000000030C1000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.468959194.0000000003103000.00000004.00000001.sdmp	false		high
http://us-east-1.route-1000.000webhost.awex.io	RegSvcs.exe, 00000004.00000002.469009805.0000000003111000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Following abusive email letter .exe, 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
ftp://files.000webhost.com/zincocomputer147STORLengthWriteCloseGetBytesOpera	RegSvcs.exe, 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	Following abusive email letter .exe, 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
145.14.145.177	us-east-1.route-1000.000webhost.awex.io	Netherlands		204915	AWEXUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433262
Start date:	11.06.2021
Start time:	14:57:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Following abusive email letter .exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/4@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 1% (good quality ratio 0.6%) Quality average: 44.9% Quality standard deviation: 42.2%
HCA Information:	Successful, ratio: 99% Number of executed functions: 102 Number of non-executed functions: 42
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.147.198.201, 20.50.102.62, 184.30.20.56, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:58:09	API Interceptor	1x Sleep call for process: Following abusive email letter .exe modified
14:58:20	API Interceptor	759x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
145.14.145.177	Scan copy of said documents.exe	Get hash	malicious	Browse
	Additional documents.exe	Get hash	malicious	Browse
	Enclosed the following documents as requested.exe	Get hash	malicious	Browse
	Complaint Lodged Against Your Company .exe	Get hash	malicious	Browse
	DOCUMENTS.exe	Get hash	malicious	Browse
	documents and Details.exe	Get hash	malicious	Browse
	oLHQIQAI3N.exe	Get hash	malicious	Browse
	oLHQIQAI3N.exe	Get hash	malicious	Browse
	hoTA52pXM4.doc	Get hash	malicious	Browse
	hoTA52pXM4.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
us-east-1.route-1000.000webhost.awex.io	All Details.exe	Get hash	malicious	Browse	145.14.144.54
	All the Documents and Details.exe	Get hash	malicious	Browse	145.14.145.180
	Additional documents required.pdf.exe	Get hash	malicious	Browse	145.14.145.180
	Kabyria El Arab-14326587.exe	Get hash	malicious	Browse	145.14.145.180
	Kabyria El Arab-14326587.exe	Get hash	malicious	Browse	145.14.144.209
	FedEx Receipt with Reference Code.exe	Get hash	malicious	Browse	145.14.144.209
	Scan copy of said documents.exe	Get hash	malicious	Browse	145.14.144.209
	Abusive email letter from your account.exe	Get hash	malicious	Browse	145.14.145.180
	Scan copy of said documents.exe	Get hash	malicious	Browse	145.14.145.177
	Scan copy of said documents.exe	Get hash	malicious	Browse	145.14.144.149
	Scan copy of said documents.exe	Get hash	malicious	Browse	145.14.144.209
	Additional documents.exe	Get hash	malicious	Browse	145.14.145.177
	Additional documents.exe	Get hash	malicious	Browse	145.14.145.180
	Complaint lodged against your company..exe	Get hash	malicious	Browse	145.14.145.180
	Enclosed the following documents as requested.exe	Get hash	malicious	Browse	145.14.145.177
	Complaint Lodged Against Your Company .exe	Get hash	malicious	Browse	145.14.145.177
	All details.exe	Get hash	malicious	Browse	145.14.144.54
	All details.exe	Get hash	malicious	Browse	145.14.144.54
	Urgent Attention Required.exe	Get hash	malicious	Browse	145.14.144.209
	DOCUMENTS.exe	Get hash	malicious	Browse	145.14.145.177

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AWEXUS	WcHO1ZGiIn.exe	Get hash	malicious	Browse	145.14.145.185
	All Details.exe	Get hash	malicious	Browse	145.14.144.54
	All the Documents and Details.exe	Get hash	malicious	Browse	145.14.145.180
	PURCHASE ORDER.exe	Get hash	malicious	Browse	145.14.144.45
	01_extracted.exe	Get hash	malicious	Browse	145.14.144.111
	Additional documents required.pdf.exe	Get hash	malicious	Browse	145.14.145.180
	Kabyria El Arab-14326587.exe	Get hash	malicious	Browse	145.14.145.180
	Kabyria El Arab-14326587.exe	Get hash	malicious	Browse	145.14.144.209
	FedEx Receipt with Reference Code.exe	Get hash	malicious	Browse	145.14.144.209
	OyVPRUTe0s.exe	Get hash	malicious	Browse	145.14.144.197
	hfrEZuBd5B.exe	Get hash	malicious	Browse	145.14.144.156
	1Z4191ecDy.exe	Get hash	malicious	Browse	145.14.144.12
	j6RwLGBzlz.exe	Get hash	malicious	Browse	145.14.144.66
	Scan copy of said documents.exe	Get hash	malicious	Browse	145.14.144.209
	A018379D343600DAB5B728E46D2EE4E12D3853837FCF1.exe	Get hash	malicious	Browse	145.14.144.210
	Abusive email letter from your account.exe	Get hash	malicious	Browse	145.14.145.180
	sample products 1,2,&,4.exe	Get hash	malicious	Browse	145.14.144.32
	Scan copy of said documents.exe	Get hash	malicious	Browse	145.14.145.177
	Scan copy of said documents.exe	Get hash	malicious	Browse	145.14.144.149
	Scan copy of said documents.exe	Get hash	malicious	Browse	145.14.144.209

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Following abusive email letter .exe.log Download File
Process:	C:\Users\user\Desktop\Following abusive email letter .exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp1045.tmp Download File
Process:	C:\Users\user\Desktop\Following abusive email letter .exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.199714843668102
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBvPLtn:cbh47TlNQ//rydbz9I3YODOLNdq3lPJ
MD5:	DCC43E257CB9BECF598E74F756FEF25E
SHA1:	D67330DB63650FCC9E8CA22EB86EC36CADCBA9B4
SHA-256:	25951389412CFCBAE77EDB8D3F93419A40BECA0DD71A0C56C76977CCBDF87B48
SHA-512:	AD1F23F8DEE31B16537CE51871BAFF9E011A0D072E50262BEA812B0AE2A5F5E82BA362907981D09738F689BDED856066F0FDD3B09D0DE8AE06F459DCA22E4D5E
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\VUGIHQGciwlxDd.exe Download File
Process:	C:\Users\user\Desktop\Following abusive email letter .exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	953856
Entropy (8bit):	7.511931897413592
Encrypted:	false
SSDEEP:	12288:p12L4ovYmfBgM/npoaxFKgasrOe+Gcr1xs+j4JQ0DXUYNZM4e/ZUdtbV:pMpX3asL/EzsC4jLUgNeBUdtR
MD5:	368A0EC11590E137B1CD5405CD0591DB
SHA1:	48C11CB189D44AE0C30B32F0ABA41D4C52568C44
SHA-256:	C0B43D27C73D2A64F25A1E095A10DCF339635D9C48C6D612B37EBA084341E103
SHA-512:	57DBF150965546D99F1A076AF014E6B586323ED139DD4730D5A917174E159377F4AA97A674CCA65BBDA2B04C7A76454B9F0D6418E0A5F0ED5D90F9B4EDF62AC4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................n.... ... ....@.. ....................... ............@................................. ...K....@............................................................................... ............... ..H............text...t.... ...................... ..`.sdata....... ......................@....rsrc........@......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\VUGIHQGciwlxDd.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\Following abusive email letter .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.511931897413592
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	Following abusive email letter .exe
File size:	953856
MD5:	368a0ec11590e137b1cd5405cd0591db
SHA1:	48c11cb189d44ae0c30b32f0aba41d4c52568c44
SHA256:	c0b43d27c73d2a64f25a1e095a10dcf339635d9c48c6d612b37eba084341e103
SHA512:	57dbf150965546d99f1a076af014e6b586323ed139dd4730d5a917174e159377f4aa97a674cca65bbda2b04c7a76454b9f0d6418e0a5f0ed5d90f9b4edf62ac4
SSDEEP:	12288:p12L4ovYmfBgM/npoaxFKgasrOe+Gcr1xs+j4JQ0DXUYNZM4e/ZUdtbV:pMpX3asL/EzsC4jLUgNeBUdtR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................n.... ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	8c8caa8e9692aa00

Static PE Info

General
Entrypoint:	0x4c006e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60C2968F [Thu Jun 10 22:47:43 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc0020	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x2a3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbffd2	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbe074	0xbe200	False	0.896723218688	data	7.85847754402	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xc2000	0x1e8	0x200	False	0.861328125	data	6.63003510345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x2a3a0	0x2a400	False	0.124375924556	data	4.17209019153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0xc	0x200	False	0.041015625	data	0.0776331623432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc42b0	0x2326	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xc65d8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd6e00	0x94a8	data
RT_ICON	0xe02a8	0x5488	data
RT_ICON	0xe5730	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xe9958	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xebf00	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xecfa8	0x988	data
RT_ICON	0xed930	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xedd98	0x84	data
RT_VERSION	0xede1c	0x398	data
RT_MANIFEST	0xee1b4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Paul Harris 2016
Assembly Version	251.2.0.0
InternalName	OpenExistingResult.exe
FileVersion	251.2.0.0
CompanyName	Paul Harris
LegalTrademarks
Comments	1992 Alpine A 610
ProductName	ReloadManager
ProductVersion	251.2.0.0
FileDescription	ReloadManager
OriginalFilename	OpenExistingResult.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/11/21-14:59:47.080868	TCP	2029927	ET TROJAN AgentTesla Exfil via FTP	49741	21	192.168.2.3	145.14.145.177
06/11/21-14:59:47.240610	TCP	2029928	ET TROJAN AgentTesla HTML System Info Report Exfil via FTP	49742	30339	192.168.2.3	145.14.145.177

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 14:59:45.367415905 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:45.522007942 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:45.522905111 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:45.692617893 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:45.693629980 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:45.849685907 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.013902903 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.014364004 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:46.169060946 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.291543007 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.291822910 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:46.448378086 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.448662996 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.449168921 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:46.604037046 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.604501963 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:46.759372950 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.759576082 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:46.916337967 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:46.921998024 CEST	49742	30339	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:46.965778112 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:47.080533981 CEST	30339	49742	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:47.080650091 CEST	49742	30339	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:47.080868006 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:47.235999107 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:47.240609884 CEST	49742	30339	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:47.241487980 CEST	49742	30339	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:47.278336048 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:47.395955086 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:47.398730040 CEST	30339	49742	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:47.399564981 CEST	30339	49742	145.14.145.177	192.168.2.3
Jun 11, 2021 14:59:47.399647951 CEST	49742	30339	192.168.2.3	145.14.145.177
Jun 11, 2021 14:59:47.450216055 CEST	49741	21	192.168.2.3	145.14.145.177
Jun 11, 2021 15:00:17.597672939 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 15:00:17.597696066 CEST	21	49741	145.14.145.177	192.168.2.3
Jun 11, 2021 15:00:17.597767115 CEST	49741	21	192.168.2.3	145.14.145.177

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 14:58:00.848977089 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:00.901431084 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:02.214365005 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:02.267451048 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:03.133934975 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:03.185378075 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:04.132235050 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:04.184144020 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:05.016041040 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:05.066240072 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:05.958273888 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:06.011267900 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:06.785180092 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:06.837188959 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:07.865432024 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:07.918978930 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:08.933995008 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:08.987077951 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:12.021681070 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:12.074774027 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:13.068713903 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:13.118885994 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:14.029623032 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:14.081605911 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:15.311315060 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:15.361881971 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:16.216814041 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:16.275664091 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:17.166984081 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:17.217223883 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:18.081861973 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:18.132059097 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:18.975440025 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:19.035496950 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:19.826948881 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:19.877147913 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:20.745188951 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:20.795350075 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:36.149271965 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:36.221723080 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:38.182879925 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:38.244031906 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:54.642185926 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:54.711458921 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:56.481997967 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:56.542021036 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 11, 2021 14:58:56.645064116 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:58:56.703546047 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 11, 2021 14:59:13.063411951 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:59:13.122354984 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 11, 2021 14:59:19.376954079 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:59:19.438102007 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 11, 2021 14:59:45.185534000 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:59:45.264453888 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 11, 2021 14:59:45.279160976 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:59:45.354423046 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 11, 2021 14:59:48.451159000 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:59:48.510210991 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 11, 2021 14:59:49.780607939 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 11, 2021 14:59:49.839562893 CEST	53	61292	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 11, 2021 14:59:45.185534000 CEST	192.168.2.3	8.8.8.8	0x280	Standard query (0)	files.000webhost.com	A (IP address)	IN (0x0001)
Jun 11, 2021 14:59:45.279160976 CEST	192.168.2.3	8.8.8.8	0xbefd	Standard query (0)	files.000webhost.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 11, 2021 14:59:45.264453888 CEST	8.8.8.8	192.168.2.3	0x280	No error (0)	files.000webhost.com	us-east-1.route-1000.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 11, 2021 14:59:45.264453888 CEST	8.8.8.8	192.168.2.3	0x280	No error (0)	us-east-1.route-1000.000webhost.awex.io		145.14.145.177	A (IP address)	IN (0x0001)
Jun 11, 2021 14:59:45.354423046 CEST	8.8.8.8	192.168.2.3	0xbefd	No error (0)	files.000webhost.com	us-east-1.route-1000.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)
Jun 11, 2021 14:59:45.354423046 CEST	8.8.8.8	192.168.2.3	0xbefd	No error (0)	us-east-1.route-1000.000webhost.awex.io		145.14.145.177	A (IP address)	IN (0x0001)

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 11, 2021 14:59:45.692617893 CEST	21	49741	145.14.145.177	192.168.2.3	220 ProFTPD Server (000webhost.com) [::ffff:145.14.145.177]
Jun 11, 2021 14:59:45.693629980 CEST	49741	21	192.168.2.3	145.14.145.177	USER zinco
Jun 11, 2021 14:59:46.013902903 CEST	21	49741	145.14.145.177	192.168.2.3	331 User zinco OK. Password required
Jun 11, 2021 14:59:46.014364004 CEST	49741	21	192.168.2.3	145.14.145.177	PASS computer147
Jun 11, 2021 14:59:46.291543007 CEST	21	49741	145.14.145.177	192.168.2.3	230-Your bandwidth usage is restricted 230-Your bandwidth usage is restricted230 OK. Current restricted directory is /
Jun 11, 2021 14:59:46.448662996 CEST	21	49741	145.14.145.177	192.168.2.3	200 OK, UTF-8 enabled
Jun 11, 2021 14:59:46.449168921 CEST	49741	21	192.168.2.3	145.14.145.177	PWD
Jun 11, 2021 14:59:46.604037046 CEST	21	49741	145.14.145.177	192.168.2.3	257 "/" is your current location
Jun 11, 2021 14:59:46.604501963 CEST	49741	21	192.168.2.3	145.14.145.177	TYPE I
Jun 11, 2021 14:59:46.759372950 CEST	21	49741	145.14.145.177	192.168.2.3	200 TYPE is now 8-bit binary
Jun 11, 2021 14:59:46.759576082 CEST	49741	21	192.168.2.3	145.14.145.177	PASV
Jun 11, 2021 14:59:46.916337967 CEST	21	49741	145.14.145.177	192.168.2.3	227 Entering Passive Mode (145,14,145,177,118,131).
Jun 11, 2021 14:59:47.080868006 CEST	49741	21	192.168.2.3	145.14.145.177	STOR PW_user-813848_2021_06_11_17_49_26.html
Jun 11, 2021 14:59:47.235999107 CEST	21	49741	145.14.145.177	192.168.2.3	150 Connecting to port 34968
Jun 11, 2021 14:59:47.395955086 CEST	21	49741	145.14.145.177	192.168.2.3	226-File successfully transferred 226-File successfully transferred226 0.160 seconds (measured here), 2.68 Kbytes per second
Jun 11, 2021 15:00:17.597672939 CEST	21	49741	145.14.145.177	192.168.2.3	421 Idle timeout (30 seconds): closing control connection

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Following abusive email letter .exe PID: 3888 Parent PID: 5820

General

Start time:	14:58:08
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\Following abusive email letter .exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Following abusive email letter .exe'
Imagebase:	0xa70000
File size:	953856 bytes
MD5 hash:	368A0EC11590E137B1CD5405CD0591DB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.211185227.00000000030FF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.211544150.00000000040C9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 4084 Parent PID: 3888

General

Start time:	14:58:11
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VUGIHQGciwlxDd' /XML 'C:\Users\user\AppData\Local\Temp\tmp1045.tmp'
Imagebase:	0x820000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4884 Parent PID: 4084

General

Start time:	14:58:12
Start date:	11/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 3352 Parent PID: 3888

General

Start time:	14:58:12
Start date:	11/06/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xa70000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.464217016.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.209849248.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.209849248.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.468629357.000000000308F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.467290309.0000000002E61000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Following abusive email letter .exe PID: 3888 Parent PID: 5820 Following abusive email letter .exeCOMMON

Executed Functions

Function 05A3F650, Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

?^u, xrefs: 05A3F8EE

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: ?^u
API String ID: 0-4150962
Opcode ID: 709b6a528bebadcad12ff15dc62df009f5758159b6501da937d5ac98b10c2584
Instruction ID: c39a2e18867333e9c1c264b7153f2a96371b8e50a77ed8c1d26966475087f45e
Opcode Fuzzy Hash: 709b6a528bebadcad12ff15dc62df009f5758159b6501da937d5ac98b10c2584
Instruction Fuzzy Hash: 40D12B70E152189FDB14CFA4D946AEDBBB2FF89305F20942AE40ABB394DB749901CF14

Uniqueness

Uniqueness Score: -1.00%

Function 016C9AA8, Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1948561d6eae96ae6eb05a881bdf9a8c7fbea58e6f808f16074d540cdf1eea09
Instruction ID: 009ab55d6943b8a37489f2a0d83ed9196eac6240f9c35ba76df0dbab069743f0
Opcode Fuzzy Hash: 1948561d6eae96ae6eb05a881bdf9a8c7fbea58e6f808f16074d540cdf1eea09
Instruction Fuzzy Hash: 82526D31A00619CFCB15CF68C880AAEB7B2FF45708F5584A9D91AAB251D775FD85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02E132F0, Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08114c297fac6c9604fe538db766bf55836f05889ccef410aec59a38c6ea059a
Instruction ID: dd3a61c15b08939c6a7c4a728458f3fd881bc5e49bb1c78031403e009d81b20c
Opcode Fuzzy Hash: 08114c297fac6c9604fe538db766bf55836f05889ccef410aec59a38c6ea059a
Instruction Fuzzy Hash: B6C188317406118FDB29DB75C860BAAB7E7AF89B08F1494BDD1469B290CF35E901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A3EED0, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10cd720391854a46bd8363232296400b140f184cffa177762215c88809d6f4c
Instruction ID: 4180fabd67ef1edd31398b850ea24c89059a702890957d120c7e41c4bc5973bb
Opcode Fuzzy Hash: d10cd720391854a46bd8363232296400b140f184cffa177762215c88809d6f4c
Instruction Fuzzy Hash: 05514030E25619DFCB08CFA9D9425EDFBF7BB8D214F149426E406F7254D73589018B28

Uniqueness

Uniqueness Score: -1.00%

Function 02E12A38, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc27124f270a232a87f921ebc743a86bcc0c586e41178760a3fae8e0b70422c
Instruction ID: f5073b44e30088107883a53e984a64d13875ad837e6af556c1812c8fe6d949dc
Opcode Fuzzy Hash: ddc27124f270a232a87f921ebc743a86bcc0c586e41178760a3fae8e0b70422c
Instruction Fuzzy Hash: A5310770D86228DFEB14DFA5E858BEDBBB1AF09305F54A42AE905B3280C7744985CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02E12A29, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86158791e4434c92f691cb7f60a0e5daa0ea4726f5e55be54a3a18eb8c84e1d
Instruction ID: 20ec7b3cfa4a4d41c1b254938f5c5bbdca2fddc077c3fc087bd758368106fcb5
Opcode Fuzzy Hash: d86158791e4434c92f691cb7f60a0e5daa0ea4726f5e55be54a3a18eb8c84e1d
Instruction Fuzzy Hash: FD316B74D85228CFEB14DFA0E8587FDBBB1AF09204F14A47AE945B3280C7744985CF24

Uniqueness

Uniqueness Score: -1.00%

Function 016C7028, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 016C7098
GetCurrentThread.KERNEL32 ref: 016C70D5
GetCurrentProcess.KERNEL32 ref: 016C7112
GetCurrentThreadId.KERNEL32 ref: 016C716B

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 119c5b82b4e2c396b7c368517c7e88bcc87645e3c1d7996f2a1468f81c8c530c
Instruction ID: 12b8a63666794b1420bc6f8c27b2578535a27eed0627495372269a7f6b82c6f3
Opcode Fuzzy Hash: 119c5b82b4e2c396b7c368517c7e88bcc87645e3c1d7996f2a1468f81c8c530c
Instruction Fuzzy Hash: C55145B4A006498FDB14CFAADA487EEBBF1EF89314F24845DE019A7390D7345985CF25

Uniqueness

Uniqueness Score: -1.00%

Function 016C7038, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 016C7098
GetCurrentThread.KERNEL32 ref: 016C70D5
GetCurrentProcess.KERNEL32 ref: 016C7112
GetCurrentThreadId.KERNEL32 ref: 016C716B

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: be9d98e1c8cba2e080003568b0e1de1e16451f421e724e9ef961a87dff4ef7b8
Instruction ID: 6f8c095e073aecbb6fc9e92954c1104fad277a08f508fc76044f0351c156d6ab
Opcode Fuzzy Hash: be9d98e1c8cba2e080003568b0e1de1e16451f421e724e9ef961a87dff4ef7b8
Instruction Fuzzy Hash: 7B5155B4A006098FDB14CFAACA487AEBBF1EF89314F24845DE019A7390D7345984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 016CC058, Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016CC2AE

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b71a8b0d301679fef4ebe6b0e6c4f9732b5a735f2481d3dc65bab28077badeac
Instruction ID: 9d84cd1e5fdcc71afa0c6db4e046ed1b51a436a5e569d206e00e11bbeec371f7
Opcode Fuzzy Hash: b71a8b0d301679fef4ebe6b0e6c4f9732b5a735f2481d3dc65bab28077badeac
Instruction Fuzzy Hash: 4B812570A00B058FD724DF6AC8517AABBF1FF88614F00892DD59AD7B40DB35E94ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 016CE10E, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016CE22A

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 24d9c95b5e7e2b0bc8e4cac372dd1d0e15b646201ad3f0b103e004f8bc00bc9d
Instruction ID: dc2c0a7785098fdc77fd699d695900f2f96cdb4417e3f4097306c9da2289638c
Opcode Fuzzy Hash: 24d9c95b5e7e2b0bc8e4cac372dd1d0e15b646201ad3f0b103e004f8bc00bc9d
Instruction Fuzzy Hash: 6551AFB1D102089FDB14CFA9C884ADEBFB1FF88714F24862EE419AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 016CE118, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 016CE22A

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c37b976555253803ef4e53e398901f17e8c3527f91fdd64d8591d27afd1e6671
Instruction ID: 9c56738ad8b285d8fa1147928f795ad7f9246e3bf1f3a67b4d6854ef8aa86bc1
Opcode Fuzzy Hash: c37b976555253803ef4e53e398901f17e8c3527f91fdd64d8591d27afd1e6671
Instruction Fuzzy Hash: 18419FB1D103099FDB14CF99C884ADEBFB5FF48714F24812AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E125E0, Relevance: 1.6, APIs: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02E125AD

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 889d5dc13935ae5472658fb860c87005f0e3ec5c54f6463cfc0993edb50e7659
Instruction ID: 1f0e24d6105d8c31f948ef700b5ce0acaffa6d5390f52dbd9ae48925dac0fe5e
Opcode Fuzzy Hash: 889d5dc13935ae5472658fb860c87005f0e3ec5c54f6463cfc0993edb50e7659
Instruction Fuzzy Hash: 72219FB5E402289FDB10CFA5E855BEEBBF1AF48318F108468D905B7280C7796D44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 016C7258, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016C72E7

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 03a4322b69099c44278b80896f9779361da6044ccb4e44285e44df0588b9f603
Instruction ID: c6ffa084aec830cd965966492e96ea5c8ade0f7e18fdbbde3fd1fa46f353c010
Opcode Fuzzy Hash: 03a4322b69099c44278b80896f9779361da6044ccb4e44285e44df0588b9f603
Instruction Fuzzy Hash: 1B2105B5D002089FDB10CFA9D885AEEFFF5EB48324F14801AE954A7350C779A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016C7260, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016C72E7

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b59eab9ff9eb0164cf4e0cdabc6c63d1f103d3097f23505c581eeb4572b5ec1f
Instruction ID: a8d0d1652932d37d0d5bfbfec0bb0d9732388ee71ec2141afc16a759849ec45a
Opcode Fuzzy Hash: b59eab9ff9eb0164cf4e0cdabc6c63d1f103d3097f23505c581eeb4572b5ec1f
Instruction Fuzzy Hash: 4F21E4B59002099FDB10CFAAD884AEEFFF4EB48324F14801AE914A7310C778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E14402, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02E143B8

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 91ac5fbf48b002020a634ac535b390e5ee3485abd1469aef06b52a9d7fb7a7ba
Instruction ID: 5ac11f79cae164806959c4eadae322323b13bb2c6a950e3a9331a9fac710e366
Opcode Fuzzy Hash: 91ac5fbf48b002020a634ac535b390e5ee3485abd1469aef06b52a9d7fb7a7ba
Instruction Fuzzy Hash: 25110D7198424A8FCB10CFB9E8497DEBFF1AF04324F2581AAD054EB382C7785249CB91

Uniqueness

Uniqueness Score: -1.00%

Function 016CC4C8, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016CC329,00000800,00000000,00000000), ref: 016CC53A

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8848708491f6ca8b2ae965c438db361b77ede3f3c93cb22645106fdc3ddc6dc7
Instruction ID: 32521f5fe297105f615b700c619269febe4817e3939c2bfecde66662d3d8ae54
Opcode Fuzzy Hash: 8848708491f6ca8b2ae965c438db361b77ede3f3c93cb22645106fdc3ddc6dc7
Instruction Fuzzy Hash: EA2124B29002488FDB10CFAAD484AEEFFF4EB98320F14811ED559A7300C775A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016CB480, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016CC329,00000800,00000000,00000000), ref: 016CC53A

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 12cc48c7af44db20a4ac938881b0c4b497ded83a863c0c31999b94fd2a722c59
Instruction ID: dbcfaacb7ecfb6826ef97f2099030961d9ba6bc0ac04ca6c61e69546bdfa7f4c
Opcode Fuzzy Hash: 12cc48c7af44db20a4ac938881b0c4b497ded83a863c0c31999b94fd2a722c59
Instruction Fuzzy Hash: 1A11F2B29002088FDB10CF9AC844BEEFBF4EB98724F04842EE519A7300C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E1435A, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02E143B8

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c63b43ceba36d7fc5cfcb0a258d12ef97d2402713f1f94e3a74cf9d4448e11c0
Instruction ID: 6d7af6349a6f979284be9276239f998550f6554f3fc900fae3da426bb2df5628
Opcode Fuzzy Hash: c63b43ceba36d7fc5cfcb0a258d12ef97d2402713f1f94e3a74cf9d4448e11c0
Instruction Fuzzy Hash: CB1188B1900209CFCB10CF99D545BEEBBF0EF48324F14842AE558A7340C738A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E12548, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02E125AD

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bd89646673999de921b87013f96d08724601d4e53927f8ef156c73a5d5496b4b
Instruction ID: 784e4f7d5f514b39dec1d51f58a1204a7466cd465272da7238397670165184ae
Opcode Fuzzy Hash: bd89646673999de921b87013f96d08724601d4e53927f8ef156c73a5d5496b4b
Instruction Fuzzy Hash: E611F5B59002589FDB10CF99D985BEFFBF8EB48324F14841AE955A7600C374A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016CE358, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 016CE3BD

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2468d3e98c7380c2935ed19927d403714dcd78f9b48ace3354b2f02640a425de
Instruction ID: 0065db95ca23992f40305ffa65c8067f3326e9028f9231fc4ba6915593c1e9fc
Opcode Fuzzy Hash: 2468d3e98c7380c2935ed19927d403714dcd78f9b48ace3354b2f02640a425de
Instruction Fuzzy Hash: 7E1133B58002088FDB10CF9AD885BEEFFF4EB88320F10851AD859A7300C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016CC248, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016CC2AE

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e4de98814b557f4057b33070e771f563ed3625fe1730bfb0404e42fdc71443cf
Instruction ID: c651ace83dea2f9e3c6afcff8850d96fee399a98c1314cac8e2c418d74c22df7
Opcode Fuzzy Hash: e4de98814b557f4057b33070e771f563ed3625fe1730bfb0404e42fdc71443cf
Instruction Fuzzy Hash: E511DFB6D006498FDB10CF9AC844BEEFBF5EB88724F14841AD519A7700C779A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E14360, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02E143B8

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: acfa5f440ea3a914ba582bc234f71c7e0d58d94969bb932d46f869968aa15e6c
Instruction ID: 2ad7fb0fdf4d29d309bc2a9ce7c7444028f596728078da4202fefff38a53107b
Opcode Fuzzy Hash: acfa5f440ea3a914ba582bc234f71c7e0d58d94969bb932d46f869968aa15e6c
Instruction Fuzzy Hash: 831145B29002098FDB10CF9AC585BEEFBF4EF48324F10842AD958A7340C738A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016CE360, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 016CE3BD

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 248b2aa229e7952077f2e3f05c5c91172d5ae30c4928b405fee410a3a759e739
Instruction ID: 8729d5c14760e0f4304f9aabdef664c33b2b0edee97a110ff34b021adf1425e0
Opcode Fuzzy Hash: 248b2aa229e7952077f2e3f05c5c91172d5ae30c4928b405fee410a3a759e739
Instruction Fuzzy Hash: 6711D3B59002099FDB10CF9AD985BEEFBF8EB48724F10841AD959A7740C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E12550, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02E125AD

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ecac643386cca25fb20ec3ca27e75c536bc2cb1602821cc5d252525f6a433ad6
Instruction ID: 69b9ba9b8a01483e4adef3bfc432c9def48b0b5faa4365141f5ee6742b2be826
Opcode Fuzzy Hash: ecac643386cca25fb20ec3ca27e75c536bc2cb1602821cc5d252525f6a433ad6
Instruction Fuzzy Hash: 5C11E2B59003599FDB10CF9AD985BDEFBF8EB48324F10841AE955A7340C375AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A3FCA0, Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

Tj0, xrefs: 05A3FCEB

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: Tj0
API String ID: 0-759164159
Opcode ID: f000959897ca9794bf2df325d47ae3cd22d2c586b546e256a21815a56dabf9f3
Instruction ID: f347819b0c16fbc396ef7b0bfe7264f8307955ed5d1e8354e14f9d742df38ab8
Opcode Fuzzy Hash: f000959897ca9794bf2df325d47ae3cd22d2c586b546e256a21815a56dabf9f3
Instruction Fuzzy Hash: AA710674E142099FDF14DFA9D9569AEBBB2FF88310F10812AE816AB354DB345902CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A3FBB0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ff15d7fee262fa2599e2cb34fc7215cc7a5e837188298cc828eed411cfa62b
Instruction ID: aa998fabafdc9120a51526b2a3f88759ff98e503aa22e59cbb20b2e8552e7f1b
Opcode Fuzzy Hash: c4ff15d7fee262fa2599e2cb34fc7215cc7a5e837188298cc828eed411cfa62b
Instruction Fuzzy Hash: C3E08C30D0530CDFCB08EFB4D10569EBBB9EB40309F1082AAC80493300D7354A15CB80

Uniqueness

Uniqueness Score: -1.00%

Function 05A3EDA8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2e138afb65f6261d64fcf9e6855cfb68210e503f36a9720aa8541fe0ef9d49
Instruction ID: 0da6aec463f23c9babc16de46b3ef089426d7b984837d50b9dae0e033d1eb4b5
Opcode Fuzzy Hash: 1c2e138afb65f6261d64fcf9e6855cfb68210e503f36a9720aa8541fe0ef9d49
Instruction Fuzzy Hash: 62E0EC70D1520CAFCB44EFB9D54679DBBF8AB04245F1085AA9818E3340EB345A04CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05A3F610, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1ecee9bb31040e67691dcc2e8884e95a4a55e54e35cbf19f783d74cc6f8a28
Instruction ID: 087ace074788afae3d8b0d7c671fcb89d64c4263aaff36b617291a14f8f26724
Opcode Fuzzy Hash: 7e1ecee9bb31040e67691dcc2e8884e95a4a55e54e35cbf19f783d74cc6f8a28
Instruction Fuzzy Hash: C8D01234D1520CAFCB48DFB9E50569DBBB4AB44305F10C6A9D91863244D7345945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 05A3FB28, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6256a7b71450f9a7624d34df5b3368e2731d4c2e1bc1bd0d024627eda259fdf8
Instruction ID: 24cd5a3d7ce515ba49dc7a9e8809961c1e903fb2ac8ec67b9639c6f13f1b731b
Opcode Fuzzy Hash: 6256a7b71450f9a7624d34df5b3368e2731d4c2e1bc1bd0d024627eda259fdf8
Instruction Fuzzy Hash: D7D05E70D1520CDFCB40EFF8950A78DBFF4AB04209F1045A9D948D3200E6344A548791

Uniqueness

Uniqueness Score: -1.00%

Function 05A3F278, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ca994a4a7e02fefecd90281c82ffb670cec115a91e98a08818c9a2067787c3
Instruction ID: 058fb1148009cd8ca4ddfeecc2c3643f37319b2b103bb6bd12ca7b2b18f72788
Opcode Fuzzy Hash: 76ca994a4a7e02fefecd90281c82ffb670cec115a91e98a08818c9a2067787c3
Instruction Fuzzy Hash: 8ED0A734C2620CDFC714EFF8E50979EBFB4E701206F0041B9D90893240EB354955C781

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05A33610, Relevance: 2.8, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

E+sv, xrefs: 05A337C9
E+sv, xrefs: 05A337D0

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: E+sv$E+sv
API String ID: 0-3339484794
Opcode ID: 9502cfc122252f42f89a9bd5f414a98734327bc1745d99bb123ccc92c32d451b
Instruction ID: 4f7adb20e22fa2f216f72cc38b621a552405ed108cf78a1bee201d51cb401dfb
Opcode Fuzzy Hash: 9502cfc122252f42f89a9bd5f414a98734327bc1745d99bb123ccc92c32d451b
Instruction Fuzzy Hash: 41D14F74D0920ADFCB44CFAAC4818AEFBB2FF88345B149966E415AB314D734DA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A34468, Relevance: 2.7, Strings: 2, Instructions: 190COMMON

Download Yara Rule

Strings

%fh, xrefs: 05A346B3
%fh, xrefs: 05A346BA

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: %fh$%fh
API String ID: 0-1624941799
Opcode ID: 239ab00dee4dd40cc4ca1fe04b6f6ba5f93b9852f41a086a0ee3df92380bde2b
Instruction ID: 1b309b577e6b92bf4bd2dcc0050cbdc7010a9c30f4db9cd0457be9b128d57c61
Opcode Fuzzy Hash: 239ab00dee4dd40cc4ca1fe04b6f6ba5f93b9852f41a086a0ee3df92380bde2b
Instruction Fuzzy Hash: E081F274E14209CFCB44CF99C6859AEFBF2FF88214F249569E415AB324D334AA42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05A34458, Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

%fh, xrefs: 05A346B3
%fh, xrefs: 05A346BA

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: %fh$%fh
API String ID: 0-1624941799
Opcode ID: ade2cf97ca127b196e946d8fc48538913dc844c64538d9fbdc6c0a2eeaf8eb89
Instruction ID: 148494a57b080c49fa3fe4a9c4deaf6f3d2bf69f5482295bfde1dd96b5c8b24a
Opcode Fuzzy Hash: ade2cf97ca127b196e946d8fc48538913dc844c64538d9fbdc6c0a2eeaf8eb89
Instruction Fuzzy Hash: 0381F374E15209CFCB44CFA9D5859AEFBF1FF88214F248566E415AB324D334AA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05A39948, Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

=`@, xrefs: 05A39B52
}{2, xrefs: 05A399F7

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: =`@$}{2
API String ID: 0-1980931978
Opcode ID: 56a71eac795b10723180d733b7c5016da8b3ead9e0e1cb0f6994b2d996ab11f2
Instruction ID: 0dc3a391d2138a59750c5045e12ad16c1500fe5ca43634a536539a31fc33ea9b
Opcode Fuzzy Hash: 56a71eac795b10723180d733b7c5016da8b3ead9e0e1cb0f6994b2d996ab11f2
Instruction Fuzzy Hash: C3512970E012199FDF18CFAAD981AAEFBB2FF88204F10C16AE519A7354DB705D418F51

Uniqueness

Uniqueness Score: -1.00%

Function 05A33519, Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

E+sv, xrefs: 05A337D0

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: E+sv
API String ID: 0-81928238
Opcode ID: 0413385b7941b537f7807afa1c26212d23dbb040cada12f237258a6dc9505e5a
Instruction ID: 87bd9d43fb7a997232e93ef80aaa7c86ee7bd2a7b9a9941b1cc1fa116faeba7b
Opcode Fuzzy Hash: 0413385b7941b537f7807afa1c26212d23dbb040cada12f237258a6dc9505e5a
Instruction Fuzzy Hash: 47F16D74D0920ADFCB04CFAAC4869AEFBB2FF89305B149966E411AB315D734D946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E106E0, Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

'd:, xrefs: 02E10735

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID: 'd:
API String ID: 0-746371006
Opcode ID: 70db33bdaee3555cda31db3423c7b1fc54ba18642fec2943ac2497968cdc5c2b
Instruction ID: d959e33eb620beabe3bbc7caf039cef9385d249fca9ae973b6ebbac9b95730ad
Opcode Fuzzy Hash: 70db33bdaee3555cda31db3423c7b1fc54ba18642fec2943ac2497968cdc5c2b
Instruction Fuzzy Hash: 34A10774E54209CF9B04DFEAD5818EEFBB2AF89300F20E42AD915AB254D7349942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A31769, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Nw, xrefs: 05A31A11

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: Nw
API String ID: 0-2003627335
Opcode ID: 53edc580c32d8596b9d3d361a06d694cfc941b024565d6eb65809b4ddf12d136
Instruction ID: 79a06d9fd95768bf5f224edaa5e4715be137f9ea6670bf9396b6673cdf32581e
Opcode Fuzzy Hash: 53edc580c32d8596b9d3d361a06d694cfc941b024565d6eb65809b4ddf12d136
Instruction Fuzzy Hash: DDB1E870E1121A9FCB44DFA5D8809DDFBB2FF88314F108A66E515AB259DB34AD46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05A31778, Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

Nw, xrefs: 05A31A11

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: Nw
API String ID: 0-2003627335
Opcode ID: e20e94657b690aa3722c4aa89b78217c68af424e7729a59fb52c0bc2fcaccec0
Instruction ID: 9d3a6ec7c544ac4ba8ae21ef9e24f2121c18957f346b1404bdd5ec89706e74e2
Opcode Fuzzy Hash: e20e94657b690aa3722c4aa89b78217c68af424e7729a59fb52c0bc2fcaccec0
Instruction Fuzzy Hash: B3B1D770E1121A9FCB44DFA9D8809DDFBB2FF88314F108625E515AB259DB34AD46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E106D0, Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

'd:, xrefs: 02E10735

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID: 'd:
API String ID: 0-746371006
Opcode ID: 6015aed2c51ead8c9addd20dc70fc22663ffd4de90654c5d96da5bb525de8f6d
Instruction ID: 661367dba4ff442b8edd9d96f1d21be7e56081f8e22d8476404d66b7934b757f
Opcode Fuzzy Hash: 6015aed2c51ead8c9addd20dc70fc22663ffd4de90654c5d96da5bb525de8f6d
Instruction Fuzzy Hash: D1A10774E44209CFDB04DFEAD5818EEFBB2AF89300F20E42AD515AB254D7349A52CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A3A7F0, Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

Ea|, xrefs: 05A3A9A9

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: Ea|
API String ID: 0-3910221324
Opcode ID: 0b428176760ac0080f555679045c07bd0e3881c986659df918d789be1ae65825
Instruction ID: e160aa64ba9a6eff8c346d7514f00d3902eb3b3cd60820f2fe383a2accc8f9d1
Opcode Fuzzy Hash: 0b428176760ac0080f555679045c07bd0e3881c986659df918d789be1ae65825
Instruction Fuzzy Hash: B4A1E474E052298BCB04CFEAC5859AEFBF2BF88314F14C569E459A7254E7349942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05A3C198, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

>b. , xrefs: 05A3C1FE

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: >b.
API String ID: 0-1250584100
Opcode ID: 91fd0ae05d5095d4d301889b54d42a0e3c3a11a958fc171894b4ca7630a77a4b
Instruction ID: 980de975e005d3d7ac88d368cfe840c82f06dd773c9c7926ae75cae433bdd065
Opcode Fuzzy Hash: 91fd0ae05d5095d4d301889b54d42a0e3c3a11a958fc171894b4ca7630a77a4b
Instruction Fuzzy Hash: A9A14A74E05219DFCB14CFA6C991AAEFBB2BF88214F24816AE518B7315D7309E41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A35048, Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

|%j, xrefs: 05A35265

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: |%j
API String ID: 0-2862962489
Opcode ID: c8ccbb8a563ffe3cbda6b36ce0a61ca03959ce84af0201488905d21624b720da
Instruction ID: b573ce7e69b4dbe7ff926ac22cc4fdd149d6854932e2c571889ec58b165e6a59
Opcode Fuzzy Hash: c8ccbb8a563ffe3cbda6b36ce0a61ca03959ce84af0201488905d21624b720da
Instruction Fuzzy Hash: 2471E5B4E1520ADFCB04CFA9D5819AEFBB2FF89314F148569E415AB314D730A942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A35039, Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

|%j, xrefs: 05A35265

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: |%j
API String ID: 0-2862962489
Opcode ID: c479dfe08e38b0be2842c661d88bffb119c2f028c0ab315765576ab14b898882
Instruction ID: 28488455d09717edd26b3af970761fe5976971193e7f4d10f08b6e9efebfd691
Opcode Fuzzy Hash: c479dfe08e38b0be2842c661d88bffb119c2f028c0ab315765576ab14b898882
Instruction Fuzzy Hash: 9B6105B4E1520ADFCB04CFA9C5829AEFBB2FF89314F148566E515A7314D334A982CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A31D28, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

E{[, xrefs: 05A31E33

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: E{[
API String ID: 0-4231426492
Opcode ID: 51462edb87362071955111e94010aff852732c71afa6a7abde05662a85c09ff9
Instruction ID: 146a8ee6d1aa6818769155a243fd301ea59b798ce57adcc9f58fcf99b32c327e
Opcode Fuzzy Hash: 51462edb87362071955111e94010aff852732c71afa6a7abde05662a85c09ff9
Instruction Fuzzy Hash: 23515B74E0460A8FCB08CFA6C9459EEFBF2FF89304F24C56AE419A7255D7349A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05A31D38, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

E{[, xrefs: 05A31E33

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: E{[
API String ID: 0-4231426492
Opcode ID: 21c64f39bc5f3560eafe168a5250fb4a614f7396b8d0583f32537a01d5b4c459
Instruction ID: 84846e941dfcc6e9f3c9a9dc2363e7f335c8f3d199cec0cac3b55cd8aee6fa38
Opcode Fuzzy Hash: 21c64f39bc5f3560eafe168a5250fb4a614f7396b8d0583f32537a01d5b4c459
Instruction Fuzzy Hash: 61512874E046098FCB08CFAAC541AAEFBF2FF89305F24C42AE419B7254D7349941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05A32040, Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

`(3f, xrefs: 05A3208C

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: `(3f
API String ID: 0-2089197082
Opcode ID: 6f4c2a2c9747e30cc266fd83e2e74230ec0607cd5ed84eedfad725422e435b76
Instruction ID: 35014b30380666175978613b36aa160f0e8d12482fc628d08bb8a9f9e64ace73
Opcode Fuzzy Hash: 6f4c2a2c9747e30cc266fd83e2e74230ec0607cd5ed84eedfad725422e435b76
Instruction Fuzzy Hash: 155127B4E0420A9FCB44CFA9D5819AEFBF2FF89304F1485AAE815A7354D7349A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A356D2, Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

-OW?, xrefs: 05A357E7

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: -OW?
API String ID: 0-1262912684
Opcode ID: aa4173c27d0c85865634fc79870b3e2247eb9bcf6e530d8b686fb96c3aa5ff9c
Instruction ID: 44baadb8eff3da947cee7e39cec2f193aa356fe22d0cb00f19eef06ccb937315
Opcode Fuzzy Hash: aa4173c27d0c85865634fc79870b3e2247eb9bcf6e530d8b686fb96c3aa5ff9c
Instruction Fuzzy Hash: 6A410774E0560ADFCB08CFAAC4819EEFFF2AF88214F14C56AE415A7250D6349A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A356E0, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

-OW?, xrefs: 05A357E7

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID: -OW?
API String ID: 0-1262912684
Opcode ID: a1df910e118af988232fa759bc7c07d3d7c5c5efd23f3d8ddccf429468f47b6e
Instruction ID: ea82dd8e43c6f2643ebb066668c253d40758e9f85fe02809cdfd596cdff161df
Opcode Fuzzy Hash: a1df910e118af988232fa759bc7c07d3d7c5c5efd23f3d8ddccf429468f47b6e
Instruction Fuzzy Hash: 9E41D474E0520ADBCB48CFAAC5859EEFBF2BB88314F14C52AE415B7204E7349A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 016CC750, Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f6e59269610bd67cd786eb2c27daf3e28d5dc4bb17a2425397ba9307c0ab341
Instruction ID: 7ce1583641424e0878a5da6d4714a8e5547a88efeab8319204ce77cc19847565
Opcode Fuzzy Hash: 0f6e59269610bd67cd786eb2c27daf3e28d5dc4bb17a2425397ba9307c0ab341
Instruction Fuzzy Hash: E45276B95007468FD720CF18EC981993BF1FB4132CB906309DA636F699D3B464AACF84

Uniqueness

Uniqueness Score: -1.00%

Function 00A7264C, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210322904.0000000000A72000.00000002.00020000.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000000.00000002.210318858.0000000000A70000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210413304.0000000000B32000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210417621.0000000000B34000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210423322.0000000000B38000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210434700.0000000000B48000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.210446585.0000000000B50000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabdc258bb52ac04b87a043a2e4de01c583b562a5bb0506d6d885e5826c7d78c
Instruction ID: 53ea60dc3aed94f02b67638204383354727e5f8803d97a39352b4dcea1462096
Opcode Fuzzy Hash: dabdc258bb52ac04b87a043a2e4de01c583b562a5bb0506d6d885e5826c7d78c
Instruction Fuzzy Hash: 6402436104F3C26FD32B5B744C655A27FB5AE9721430E85CFD4C0DF0A3D268499AD7A2

Uniqueness

Uniqueness Score: -1.00%

Function 016C9948, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210916846.00000000016C0000.00000040.00000001.sdmp, Offset: 016C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca072c014dfe4f1c3231032f94e84eb4a1ef90f97ce69d003fff682f350f35e
Instruction ID: b944000bd3b7ae39e05c31528d03c11169794ae3a3f11259e507ba6effd02c1e
Opcode Fuzzy Hash: 7ca072c014dfe4f1c3231032f94e84eb4a1ef90f97ce69d003fff682f350f35e
Instruction Fuzzy Hash: 24A17E32E0021A8FCF15DFA9CC449EEBBB2FF85740B15856EE905BB221DB35A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05A31480, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c9da44632761c1a84d4e4bdbea5a492cef0e6599cd5ba23c6b0bc3a54a90e2
Instruction ID: 4324f8a982f3c8fa045155831de7c75df7eee8b83751bd9cb5f6aac043e81463
Opcode Fuzzy Hash: 44c9da44632761c1a84d4e4bdbea5a492cef0e6599cd5ba23c6b0bc3a54a90e2
Instruction Fuzzy Hash: 1691D474E142098FCB08CFE9C885ADEFBB2EF89304F24942AE516BB254D7349946CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A3AC70, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfecd9449204ea56f74a206b2f5a5ee1b8ae8997abc62dc7d7e6b53bb5e18705
Instruction ID: ca6e7129f0b5e13f54b31cd94da95ceccc9355cefe7a634463d9a12a675ff5c2
Opcode Fuzzy Hash: bfecd9449204ea56f74a206b2f5a5ee1b8ae8997abc62dc7d7e6b53bb5e18705
Instruction Fuzzy Hash: 48611B74E0521A9FCB04CFEAC486AEEFBB2BB88314F14D425E555A7354D73499428FA0

Uniqueness

Uniqueness Score: -1.00%

Function 05A32198, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eedbb254a57648c2bee3bc1234453a273c989cc320a47de8385efeefae27667
Instruction ID: 032f7a1be576bc904fda502a6666f1ef98269cf7d05cc3f9aa4e3a0681b8f68a
Opcode Fuzzy Hash: 0eedbb254a57648c2bee3bc1234453a273c989cc320a47de8385efeefae27667
Instruction Fuzzy Hash: 78611579E0520ADBDB04CF99D981AEEFBB2FF88314F108529E515A7314D734AA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05A358D8, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24a6225d1a82276c58d3801664b0e6c5356acd28e3059eaf134b839b1ed47aa
Instruction ID: 5208e8075e39dd1db9274acb6e973d4c8f716513c860f0b0d9ce6b45016670a1
Opcode Fuzzy Hash: b24a6225d1a82276c58d3801664b0e6c5356acd28e3059eaf134b839b1ed47aa
Instruction Fuzzy Hash: A8612571E1521ADFCB04CFA9D9819EEFBF2BF88214F14952AE419B7224E3349A01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A32189, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93cdbb00446809d59879ad053c521509120ee614223f78f53e922befaeb1f114
Instruction ID: 328431259ce48f642074bd6bd1ffd5651bbddaa8289ed611cd0712304ae30be5
Opcode Fuzzy Hash: 93cdbb00446809d59879ad053c521509120ee614223f78f53e922befaeb1f114
Instruction Fuzzy Hash: F3614779E0520ADFDB04CF99D981AEEFBB2FF88314F14852AE515A7210D7349A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A358E8, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846f16123109ddfcbba8dc2847c0fac0751541a3be66ce5915cc9d5b8b0e4e22
Instruction ID: 8099983fd15684c6a71b118c1ed1ae4978bfd7a2e3d0d9272aaa992c8ea0ed69
Opcode Fuzzy Hash: 846f16123109ddfcbba8dc2847c0fac0751541a3be66ce5915cc9d5b8b0e4e22
Instruction Fuzzy Hash: 85611470E15219DFDB04CFAAD9819EEFBF2BF88214F14852AE415B7214E3349A01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02E10B70, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78982a651771950c5fa7d4cf22031f91069bd666597c205ac477a3e74931fdcb
Instruction ID: f73a423ce9e07ffd868ee0d9a13b5f822b1b30264bc788ff6d70bc31ee9d8ebb
Opcode Fuzzy Hash: 78982a651771950c5fa7d4cf22031f91069bd666597c205ac477a3e74931fdcb
Instruction Fuzzy Hash: 37511671E44629CBDB28CF6AC8447E9F7B6AFC9301F10D5BA950EA6214EB305A85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05A35B38, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11659593178e6f44cfdfb854636d224e69359b5472457afd67f0501457de6ed7
Instruction ID: 5d00bc72340426a2320cfa90e982dac2bd376ccaca94bee7918390a1b2b094ce
Opcode Fuzzy Hash: 11659593178e6f44cfdfb854636d224e69359b5472457afd67f0501457de6ed7
Instruction Fuzzy Hash: 8E41FB70E0520A9FCB04CFAAC5819AEFFF2FF89204F24C56AD515B7254E7359A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05A35B48, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab74d2d6933db997e65630879b63dda37681a70fca11d8206d4869f5808fc5e
Instruction ID: 561fc043fc86b0d65f9718bfc949de05773ac96485b06ee40f270aedf330ac95
Opcode Fuzzy Hash: 4ab74d2d6933db997e65630879b63dda37681a70fca11d8206d4869f5808fc5e
Instruction Fuzzy Hash: B041CBB0E0560ADFCB44CFAAC5819AEFBF2BF89204F24D56AD505B7214E7349A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05A36808, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ed1607a4938d3dc6cb11ba9a82e09f10781deb8af0dbdec73724663dd7d274
Instruction ID: 57ac9687f47622ead8b772715a3b7795cd4a0a18ed420d21d8875b874a39c999
Opcode Fuzzy Hash: 80ed1607a4938d3dc6cb11ba9a82e09f10781deb8af0dbdec73724663dd7d274
Instruction Fuzzy Hash: B6415C71E156188BEB28CF6B8D4569EFBF3BFC8301F14C1BA950CA6214DB300A868E11

Uniqueness

Uniqueness Score: -1.00%

Function 02E13FC8, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1374fc1415640b36dab6ba4c4301fe80f53c52b7d78418540ce3d7728dbf7cf
Instruction ID: 3e17f0510c8d1e44f39c4b5ca9d433fc4f80c0c66efc47ba7e5d3cdf48a09f55
Opcode Fuzzy Hash: c1374fc1415640b36dab6ba4c4301fe80f53c52b7d78418540ce3d7728dbf7cf
Instruction Fuzzy Hash: 41319C34A85128DFDB10CFA6E854BEDBBF1AB4A315F10A479E005B7381C7758984CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05A36805, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390c3cc9851e4a899f221a179fec42a67720d2a607496f369adcb9adfc81db6e
Instruction ID: 2f7fd9997b7b5712664e1f68fdb63ffce6a6b71417d228a12b4cd6b2097dcbec
Opcode Fuzzy Hash: 390c3cc9851e4a899f221a179fec42a67720d2a607496f369adcb9adfc81db6e
Instruction Fuzzy Hash: 4D412DB1E156188BEB58CF6B8D4579EFAF3AFC8301F14C1BA950DA6215DB3409458E01

Uniqueness

Uniqueness Score: -1.00%

Function 02E10B5F, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cba9fa3b3b1a4042c2b8147c10109c2d2f318111cb1e6ac2367835c7b32384a
Instruction ID: ff3f9eb6ac5104179f050fa3f49a8240c70f768aca20541869c349bf4f2ef357
Opcode Fuzzy Hash: 7cba9fa3b3b1a4042c2b8147c10109c2d2f318111cb1e6ac2367835c7b32384a
Instruction Fuzzy Hash: F0313D75E452289BDB28CFA7D8046DEBBB2ABC8315F14C5BAC90D76254DB300A85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 02E13FD8, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210984036.0000000002E10000.00000040.00000001.sdmp, Offset: 02E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc276eaa104535d68721e48fec2af6e4494786944d227bbf7fd123f0e41bf593
Instruction ID: afc668f62a4beda235ed6af36bd3e15979ba31487a028d575316a5d521feeffd
Opcode Fuzzy Hash: fc276eaa104535d68721e48fec2af6e4494786944d227bbf7fd123f0e41bf593
Instruction Fuzzy Hash: 93312670D85218DFDB14CFA6D858BEEBAF5AB0A305F10A43AD006B3381C7758984CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 05A32730, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28aad374a168783f948f9a2c7a74af221961203d24ceecae73adc40b9bde4dfe
Instruction ID: 1c2163bc18b7c0470ae716cc579f0005db705025277cf55cf47675b5e3096d19
Opcode Fuzzy Hash: 28aad374a168783f948f9a2c7a74af221961203d24ceecae73adc40b9bde4dfe
Instruction Fuzzy Hash: C131F271E006188BDB18CFABD9446DEFBF3AFC8311F14C16AE509A6258DB345A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05A32720, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f731dfe6a89ef4ff0c20e62a9e3a26d03a66a94bcb0b47920660ee7529a74910
Instruction ID: 045817b3eefa7dc2f46f0971e6f29abd4e63e57358dc68a4aa42183eda863883
Opcode Fuzzy Hash: f731dfe6a89ef4ff0c20e62a9e3a26d03a66a94bcb0b47920660ee7529a74910
Instruction Fuzzy Hash: 8521C5B1E056589BEB18CFABC9447DEFFF3AFC8300F14C16AE409A6258DB7449468B50

Uniqueness

Uniqueness Score: -1.00%

Function 05A39F50, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01b8da9ed7bc9c56bd8752aec92994d3b94d63926487d4e28ce19c56c37daca
Instruction ID: 96cc7008e12cd87d5adb9a7216d514a81820417ea51de9aca0824af0c744895c
Opcode Fuzzy Hash: c01b8da9ed7bc9c56bd8752aec92994d3b94d63926487d4e28ce19c56c37daca
Instruction Fuzzy Hash: 77115671E116189FDB08CFABD941AEEFBF7BBC8200F14C03AE508A7214DB304A028B51

Uniqueness

Uniqueness Score: -1.00%

Function 05A30930, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcccd470639791fc4ab217a843b5655e0fdd4786fb181a38cb1a66077b9f2248
Instruction ID: 8f598629814a903296ee7294267d4204a35997432b70ede737069f04727c1f85
Opcode Fuzzy Hash: fcccd470639791fc4ab217a843b5655e0fdd4786fb181a38cb1a66077b9f2248
Instruction Fuzzy Hash: 6A11DA71E146189BEB58CFABD8446DEFBF7AFC8200F04C47AD918A6214EB3045468F51

Uniqueness

Uniqueness Score: -1.00%

Function 05A35D40, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12abb28d6b31cb662826de532ed196d2f43c010cf0b088657aa4cd66d5ba97f4
Instruction ID: 2d74ec49413b9c0edcb64dbb277481b136222782b3de79dfc1c9d88f0fa6f298
Opcode Fuzzy Hash: 12abb28d6b31cb662826de532ed196d2f43c010cf0b088657aa4cd66d5ba97f4
Instruction Fuzzy Hash: C611E971E056189BEB4CCFABD8416DEFBF7AFC8204F04C17AD918A6218EB3406468F55

Uniqueness

Uniqueness Score: -1.00%

Function 05A35D31, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b70acad0f9e82d22b5c67f2790b779afcd67992d311291a78fe576053e7a3d
Instruction ID: fe641bf0368ac697b960c20872d19f925b8872243f03bb1cee4adc73c0a302ba
Opcode Fuzzy Hash: 85b70acad0f9e82d22b5c67f2790b779afcd67992d311291a78fe576053e7a3d
Instruction Fuzzy Hash: 9621CC71E056589BEB1CCF6BD8456DEFBF3AFC8204F08C17AD818A6258DB3405468F51

Uniqueness

Uniqueness Score: -1.00%

Function 05A30920, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213845436.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3825b3b882fedab557d5a999f229b95f7f2a91ddffc5c81a815f63707dd4bcd0
Instruction ID: 4c826aa3198df6874fc44a7f186a5afc6ecf5d73afa31d5e8f990988f289b93a
Opcode Fuzzy Hash: 3825b3b882fedab557d5a999f229b95f7f2a91ddffc5c81a815f63707dd4bcd0
Instruction Fuzzy Hash: 1D11FEB1E116189BEB48CFAB89056DEFBF7AFC8200F04C076D508B6254EB3045418F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 3352 Parent PID: 3888 RegSvcs.exeCOMMON

Executed Functions

Function 00BAE018, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BAE7A0

Memory Dump Source

Source File: 00000004.00000002.464558623.0000000000BA0000.00000040.00000001.sdmp, Offset: 00BA0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154cc1e7c90c64601802266559dcd720a7b4fbf8b4c53e006bd8ac164fb198f7
Instruction ID: ef3023a99437da89d7d6e812cc410761e4b48f968d7bc6300ab32d49bf0819e9
Opcode Fuzzy Hash: 154cc1e7c90c64601802266559dcd720a7b4fbf8b4c53e006bd8ac164fb198f7
Instruction Fuzzy Hash: 1F620B70E007198BDB64EF78C8946DEB7F1AF89300F1086A9D54AAB354EF31AD85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2D50, Relevance: .9, Instructions: 911COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f84a5c0804e205883166c14dfd808a149152bd4ad9b4bfaa3666739b71def81
Instruction ID: f626391044ed6c16c8f7f98c4707b477291b6defe37fb6ddb22ca60d016595c2
Opcode Fuzzy Hash: 0f84a5c0804e205883166c14dfd808a149152bd4ad9b4bfaa3666739b71def81
Instruction Fuzzy Hash: F1821730A002099FCB14CF69C584EAEBBF2FF49714F55C599E54AAB261DB30EE41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA720, Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b928c8871e8b5f5a3ff8cac3e199a6584ac4c1cb2aaf44d25d9300ab795b1f45
Instruction ID: c01d07eb76c44d4651755286af9047f6410438ebeff151690937517a6f64ebce
Opcode Fuzzy Hash: b928c8871e8b5f5a3ff8cac3e199a6584ac4c1cb2aaf44d25d9300ab795b1f45
Instruction Fuzzy Hash: 36425C30B002098FDB149BB8D894BAE77F2EF89308F258569E506DB395DB35DC468B51

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB060, Relevance: .7, Instructions: 663COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6f317f52a9559510ebb39db87ef1ecf8ca68c9a472252da6145442e2685dce
Instruction ID: d429e544ebf051dce1125d64b56028bdcc02c4845c6fe545710d437e20e9e624
Opcode Fuzzy Hash: 2b6f317f52a9559510ebb39db87ef1ecf8ca68c9a472252da6145442e2685dce
Instruction Fuzzy Hash: 6442AF70E002488FEB24DBA8C495FADB7F2EB86304F1485ADD549AF295CB74DC85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1FF0, Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274a40c11f45d87596f9715eb6362019031cf80136e30b0f0d429d1d7a965812
Instruction ID: e0d1f691d606795491b7b752d036c2d494b57ef05c15519891509d5ba705ba00
Opcode Fuzzy Hash: 274a40c11f45d87596f9715eb6362019031cf80136e30b0f0d429d1d7a965812
Instruction Fuzzy Hash: AB125A70A002199FDB14DFA9C894BAEBBF6FF88304F148569E906DB391DB349D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BCDEC6, Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3064a619a31d59e8c6fae8fdd76e5be5af30c5d816d60ad1903502ebc6022a7f
Instruction ID: 6ce4df12b24868589f610aca6092059f639f036083584acfcc7669144d9e1c3e
Opcode Fuzzy Hash: 3064a619a31d59e8c6fae8fdd76e5be5af30c5d816d60ad1903502ebc6022a7f
Instruction Fuzzy Hash: D70224B1E04255CBC710DBB4849ABAD77E2DFA4208F0581EDC959DB382EB34CD46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2768, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a008df60995fb5cf0f7e18b39a61b3e67e4f862dfc9083efc32c1d7e99ced775
Instruction ID: 25415c8e01965fe1ba491efb87508993e75161b59747b20a31229ffd68af8516
Opcode Fuzzy Hash: a008df60995fb5cf0f7e18b39a61b3e67e4f862dfc9083efc32c1d7e99ced775
Instruction Fuzzy Hash: EDE1E575A00119DFCB24CFA9C984EADBBF2FF88315F1581A9E915AB261DB30EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010B6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 010B6BB0
GetCurrentThread.KERNEL32 ref: 010B6BED
GetCurrentProcess.KERNEL32 ref: 010B6C2A
GetCurrentThreadId.KERNEL32 ref: 010B6C83

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dacb1c3dec876a3d6fcd536117e1a352b39b501968adb7eab1a3e9dc7c8cec23
Instruction ID: 245ea01d4e66a17d584d8d250bff1178f5803047b1b7519ad61d0ca3b9fdf12b
Opcode Fuzzy Hash: dacb1c3dec876a3d6fcd536117e1a352b39b501968adb7eab1a3e9dc7c8cec23
Instruction Fuzzy Hash: EB5147B0E006499FDB94CFAAC688BEEBBF0EF48314F208599E249A7350D7755944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BB8330, Relevance: 1.7, APIs: 1, Instructions: 207libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BB83C1

Memory Dump Source

Source File: 00000004.00000002.464579345.0000000000BB0000.00000040.00000001.sdmp, Offset: 00BB0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 75e08eda62b223c5b0b7e4943ec678f792dd278bfe7780919c72f939ad65d9fa
Instruction ID: 1d2c2f90eeb30f32cc95b4b45625634ca15b8eda9f93ad3a968288735734c3c9
Opcode Fuzzy Hash: 75e08eda62b223c5b0b7e4943ec678f792dd278bfe7780919c72f939ad65d9fa
Instruction Fuzzy Hash: E2716C70A003099FDB24AFB5D4587EEBBF6AF94308F208469E446A7394DF799C05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB50F8, Relevance: 1.7, APIs: 1, Instructions: 174libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00BB51A9

Memory Dump Source

Source File: 00000004.00000002.464579345.0000000000BB0000.00000040.00000001.sdmp, Offset: 00BB0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0641db1259c77ffa84ab9273a7ed42bfa758a28cdd8a6db10b6834d8bdc24d24
Instruction ID: 49267e1a18fb6ef797ed6e83eb6a642d6fd94baf9e770cf7e47a4523f140224d
Opcode Fuzzy Hash: 0641db1259c77ffa84ab9273a7ed42bfa758a28cdd8a6db10b6834d8bdc24d24
Instruction Fuzzy Hash: 1751B171B003059FCB14ABB4D894AEEB7F6BF85304F1489A9E5069B392EF75EC048761

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE648, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464579345.0000000000BB0000.00000040.00000001.sdmp, Offset: 00BB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7afca6952feaa20d8e5b752c5cb7196e822d3dda8a29129f435d25c8b083856
Instruction ID: 25c86db4076a8b326b4dee2a76ffda33fe1e8711c2304b0424b7c25f5eb0d756
Opcode Fuzzy Hash: a7afca6952feaa20d8e5b752c5cb7196e822d3dda8a29129f435d25c8b083856
Instruction Fuzzy Hash: 844103B2E043558FCB00CFA9D8042EEBBF5AF89220F1586ABD514A7251EB789C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010B518F, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010B52A2

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f34e6e1d622969fe9f662575e221188d6c1b9a12ce10dc7ff6d30c7d423caf75
Instruction ID: 3fa336ff1c8edd63177914553abd8d80100c64634586f92e46174761dbe952b9
Opcode Fuzzy Hash: f34e6e1d622969fe9f662575e221188d6c1b9a12ce10dc7ff6d30c7d423caf75
Instruction Fuzzy Hash: E341DEB1D103489FDF14CFA9C984ADEBFB1BF88314F24816AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010B5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010B52A2

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: befca583a9d68055c2fe39346b7e116e052ddbf51b7d219ba365cd8ee5c6cbcf
Instruction ID: b2003b39d424b4339dd34752492610b7da3ca51a881b012a6ebebe0ffd60cb99
Opcode Fuzzy Hash: befca583a9d68055c2fe39346b7e116e052ddbf51b7d219ba365cd8ee5c6cbcf
Instruction Fuzzy Hash: CF41DFB1D103489FDF14CF99C984ADEBBF5BF88314F24816AE819AB210D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4E78, Relevance: 1.6, APIs: 1, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00BB4F81

Memory Dump Source

Source File: 00000004.00000002.464579345.0000000000BB0000.00000040.00000001.sdmp, Offset: 00BB0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b5032d6c397aca0896fff95aaba2dcda6cf7b7930053ade8bd2d22d6da0f6fb1
Instruction ID: dd43434794873cf8b3a8265ad1b4ab494735faa3509251c2cd336037d6dd10e5
Opcode Fuzzy Hash: b5032d6c397aca0896fff95aaba2dcda6cf7b7930053ade8bd2d22d6da0f6fb1
Instruction Fuzzy Hash: 154104B5E01259DFCB10CFA9C484AEEBBF5FF48304F15806AE819AB351D7B49845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010B6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 010B7D01

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9e9e7f4618942655a1281c050bbf6a8e2f897921ee0a2200cb6f5497d32166a4
Instruction ID: 08f73de88675a00799f7395f1b5a80f9acf9063784546b61d5773c67fcb3f059
Opcode Fuzzy Hash: 9e9e7f4618942655a1281c050bbf6a8e2f897921ee0a2200cb6f5497d32166a4
Instruction Fuzzy Hash: E0411AB5A002098FDB54CF99C488AAABBF5FF88314F14849DE559AB361D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BB452C, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00BB4F81

Memory Dump Source

Source File: 00000004.00000002.464579345.0000000000BB0000.00000040.00000001.sdmp, Offset: 00BB0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d1509d543c957cb48db6cea3dedb5a4b5625ecfab330a78b8c91987836f6050c
Instruction ID: dc4d7c92351c19030513c4c7601f22001258a2d967c2e16318e96f76c2713570
Opcode Fuzzy Hash: d1509d543c957cb48db6cea3dedb5a4b5625ecfab330a78b8c91987836f6050c
Instruction Fuzzy Hash: 7331EFB1D012589FCB10CF9AC884AEEBBF5FF48310F15816AE819AB311C7B49905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BB4520, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 00BB4CC4

Memory Dump Source

Source File: 00000004.00000002.464579345.0000000000BB0000.00000040.00000001.sdmp, Offset: 00BB0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a38b3921109523572b36d3bc9a06707c25bf42da0410f276aabd42d61c94695c
Instruction ID: 5ad5051bedebf0d53ef90a0e446a37bae095c4469bb8d1b7fc5eee1e05bdd727
Opcode Fuzzy Hash: a38b3921109523572b36d3bc9a06707c25bf42da0410f276aabd42d61c94695c
Instruction Fuzzy Hash: DA31F1B0D012489FDB10CF99C584A9EFFF5FF49314F29816AE809AB342C7B59985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010B41A8, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010B4216

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9a801dea613a1d1b35845c9d5a40b4010ae6f698ae24857036b9d1eb759f0268
Instruction ID: 7b8a0463a19721fdf17a451b3d350fc2e5fcf5e126530d7f4fc17b54da33ce1f
Opcode Fuzzy Hash: 9a801dea613a1d1b35845c9d5a40b4010ae6f698ae24857036b9d1eb759f0268
Instruction Fuzzy Hash: 652189B1D043848FCB11CFAAC4846DEBFF0EF89214F1585AEC099AB612C375950ACF61

Uniqueness

Uniqueness Score: -1.00%

Function 010B6D71, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010B6DFF

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 88d27608cbe6f23655a8a39b45d8a8c651af54d71e5d2709ab71ed4187867e7b
Instruction ID: e19f9d0630a853d505969bf177726ae2d20dec145c0fde972a6bef4deb1e64fd
Opcode Fuzzy Hash: 88d27608cbe6f23655a8a39b45d8a8c651af54d71e5d2709ab71ed4187867e7b
Instruction Fuzzy Hash: 182112B5D002489FDB10CFA9D484AEEBFF4EB48324F14806AE954A7310D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010B6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010B6DFF

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d23ca7cb316967f9c8e9dcfdd490824a70df20640a37703b5261a3f6d8911e74
Instruction ID: e471a37c6e97b46c6a35d9c3a70c383a07c321e09d6d18e6cd1414c54024a443
Opcode Fuzzy Hash: d23ca7cb316967f9c8e9dcfdd490824a70df20640a37703b5261a3f6d8911e74
Instruction Fuzzy Hash: 1021F3B5D002089FDB10CFAAD984ADEBBF8FB48324F14801AE954A7310D779A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBD128, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00BBE69A), ref: 00BBE787

Memory Dump Source

Source File: 00000004.00000002.464579345.0000000000BB0000.00000040.00000001.sdmp, Offset: 00BB0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e8072310f474076156a102fd5ec7e1f777974ad076c67c800cfb8bc83ef2c36e
Instruction ID: 75c4e919d0c35206043cc90c92263c47dde94b9666de8dec1c741aaf3617da8b
Opcode Fuzzy Hash: e8072310f474076156a102fd5ec7e1f777974ad076c67c800cfb8bc83ef2c36e
Instruction Fuzzy Hash: 1F11F4B5D006199BCB10CF9AC4447EEBBF4EB48324F15816AE518B7240D778A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 010BBDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010BBE72

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: b3618e17e66587df75f33c9435b4a3d668273f455d590529c7569dae3b546975
Instruction ID: 78c324963ad47d7acc47ad1405e8b386083f5f73c409349502fdca7b9a0628da
Opcode Fuzzy Hash: b3618e17e66587df75f33c9435b4a3d668273f455d590529c7569dae3b546975
Instruction Fuzzy Hash: BB11BEB1A003088FDB90CFAAC9487DEBBF4FB48314F20842AD555A3711C7396548CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BBDF7, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010BBE72

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 89aae1c2bb710aaee3a64a80d350adea3bb2e5ad8333bd417e2ce86c435f02c2
Instruction ID: 3d4d874f708984370a09d7b5ad611148016c6292b4ae6f57849819f16979d7ad
Opcode Fuzzy Hash: 89aae1c2bb710aaee3a64a80d350adea3bb2e5ad8333bd417e2ce86c435f02c2
Instruction Fuzzy Hash: 0C11ACB1A003088FCBA0CFAAC9887DEBBF0FB48314F20846AD555A3711C7395508CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BBE718, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00BBE69A), ref: 00BBE787

Memory Dump Source

Source File: 00000004.00000002.464579345.0000000000BB0000.00000040.00000001.sdmp, Offset: 00BB0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 40550be722d6e9661bc98a13dffff506a7e4f801fba722eb92c074f4446a9999
Instruction ID: 36a9ddc2a5e8bea59fb87fac272311013870583d43d09e8e3672f44833656cc7
Opcode Fuzzy Hash: 40550be722d6e9661bc98a13dffff506a7e4f801fba722eb92c074f4446a9999
Instruction Fuzzy Hash: E31112B6C006299FCB00CF9AC5447EEFBF4AF48324F15856AD918B7240D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010B2F43, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010B4216

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4926c31e9c2a7e062c9b3d32a8fbde3f2fecdf0ec02094a3a9e8f7ace9f77030
Instruction ID: 2f9ebcd35dbe179ccb256b7b76f098f0b4300335379cb08047b58185c053bf35
Opcode Fuzzy Hash: 4926c31e9c2a7e062c9b3d32a8fbde3f2fecdf0ec02094a3a9e8f7ace9f77030
Instruction Fuzzy Hash: 461123B5D002498FDB10CF9AD488BDEBBF4EF88224F05846AD959B7201C374A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010B2F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010B4216

Memory Dump Source

Source File: 00000004.00000002.465825322.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3bc9497cef1a6afd2bfe368201139791ff5505f021e83cd359337126d4ec6b3f
Instruction ID: 143218fb7df3bdf9b0ce9e491751863315c614432bf54577e575192bd7b8ebcb
Opcode Fuzzy Hash: 3bc9497cef1a6afd2bfe368201139791ff5505f021e83cd359337126d4ec6b3f
Instruction Fuzzy Hash: 631104B5D006498FDB10CF9AD484BDEFBF4EB89224F10846AD559B7201C374A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC56A0, Relevance: 1.3, Instructions: 1280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26f162a16dc7e09ae1eeee25fa3ec03f581eed7d69f2434b74f4bbb4d60e85c
Instruction ID: f18d8ffb5d0ed3bd4c39c66e03d8a4af866fc12ae01bec6f902b9ffabcd8219c
Opcode Fuzzy Hash: a26f162a16dc7e09ae1eeee25fa3ec03f581eed7d69f2434b74f4bbb4d60e85c
Instruction Fuzzy Hash: 129206FBE49AC44FD7058AA8786FD95BFD21E62218F0B01DBCD404B2A7F5111E99C683

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3E28, Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70400253d76c6f3c4f46d9dacb5b7db61447c41e34b475d77300cc48b6cab9d
Instruction ID: a985f5d4da13b947e5f5f6db8193e1bc503550befcd1a3a0586c1b6449ec3339
Opcode Fuzzy Hash: d70400253d76c6f3c4f46d9dacb5b7db61447c41e34b475d77300cc48b6cab9d
Instruction Fuzzy Hash: 5B624F74A0411D8FEB24ABA4C9A0BEEBBB6EF95304F1084A9D6066F390DF315D41DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC4E0, Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce9ff26bfdb78cb8feadb3751b7c542b2fa921839da9b222fc26336181d16e2
Instruction ID: 530cc5573f1459c3c068b3dd0be17db45f292b2c568316f32dd6367ac3cf6785
Opcode Fuzzy Hash: 1ce9ff26bfdb78cb8feadb3751b7c542b2fa921839da9b222fc26336181d16e2
Instruction Fuzzy Hash: 7CF18E347045048FDB299A38C898F393AE6EFA1704F2940EEE50ACF7A5DB28CC41D765

Uniqueness

Uniqueness Score: -1.00%

Function 00BC16C8, Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cb68449dbbb69702e286f3da6b95238fb11dfa291aa085979dd299ddee617d
Instruction ID: 81212d7ed91e738837c5a7dfeb12355470a219ceebcc94cdd3279725ffa62b34
Opcode Fuzzy Hash: 71cb68449dbbb69702e286f3da6b95238fb11dfa291aa085979dd299ddee617d
Instruction Fuzzy Hash: ABC1E2747042118FDB159B68C894BAE77E6EFCA304F1589ADE9069B392DF34CC02C791

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4C78, Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed87e0116e455a0e91e45416197acd41e57c5609008c2dfb77f3f7354a38c70f
Instruction ID: f1692119242270418c4adf6f060e9f53488e52ddea441188978c23bddb823548
Opcode Fuzzy Hash: ed87e0116e455a0e91e45416197acd41e57c5609008c2dfb77f3f7354a38c70f
Instruction Fuzzy Hash: D9D1F775A006158FCB14CF69D494EADBBF2FF88311B2A84ADE509AB361DB30ED41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4B59, Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9658cbf5b68590447ae06ed50775d6d94b99136e3aced08b87f3026871046827
Instruction ID: ba0563ee5382e361e2d39dbbe26c44a9b72be68fc387aabbe638b83f1e2caaae
Opcode Fuzzy Hash: 9658cbf5b68590447ae06ed50775d6d94b99136e3aced08b87f3026871046827
Instruction Fuzzy Hash: 6CD11A71E002158FCB14CFA9C894E9DBBF2FF88311B168599E519AB361DB30ED41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2D40, Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcca23e93aadf6ad8618aa7b47442e567bea152de9866288c57e197a5ca3ed03
Instruction ID: aaec811878418784a7ba1df7dedfb7afc50ef29be5b9102e6b36135ed5f4220d
Opcode Fuzzy Hash: dcca23e93aadf6ad8618aa7b47442e567bea152de9866288c57e197a5ca3ed03
Instruction Fuzzy Hash: 16C13930A002099FCB14DFA9C884EAEBBF2FF58714F55859DE94AAB261D731ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC130, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669e28faa583627f22e5a5b6a0e7f531d6c113520ccde81dabe3efec6d9dca35
Instruction ID: 86e6e71b30ec0ea51c7802265cfb96c6afd637177342f5a26dcd6a821ceb661a
Opcode Fuzzy Hash: 669e28faa583627f22e5a5b6a0e7f531d6c113520ccde81dabe3efec6d9dca35
Instruction Fuzzy Hash: 6AA17B31A042499FCF15CFA8C844AEEBFF2FF99310F1485AAE909AB261D7309855CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD370, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c4614357be302d4fa1465576afad2db8ed87b8546c8fa4c07cd8427945f86e
Instruction ID: d3ca358a1fd5767c05cc86361d1342d335f35867f631cd12d62165085d4e662d
Opcode Fuzzy Hash: 76c4614357be302d4fa1465576afad2db8ed87b8546c8fa4c07cd8427945f86e
Instruction Fuzzy Hash: A181AD34B002159FCB19EB64C854FAE7BE6EB88354F14896DEA0ADB380DB70DD51C792

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1ACF, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f67f21d1ade9486246bdf700e341597cf71b97d870c33f5d8195fea2d18b8b5
Instruction ID: 86a008c59d1a977acdd51b79bca36558064444833d302e40508b46b111528523
Opcode Fuzzy Hash: 1f67f21d1ade9486246bdf700e341597cf71b97d870c33f5d8195fea2d18b8b5
Instruction Fuzzy Hash: 14818D34A005059FCB14CF6DC484EAAB7F2EF8A345B1589ADE516EB362D731EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5280, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3f744f37823fc6c95af14ffb2589f6a9938f6a1b173fbe352d4d2f559378c5
Instruction ID: 3689ea5a6ab8a79ae5b393c24ce7049e08a12738a7ed98f3fa5bd52e1f9fdf1f
Opcode Fuzzy Hash: ed3f744f37823fc6c95af14ffb2589f6a9938f6a1b173fbe352d4d2f559378c5
Instruction Fuzzy Hash: 65814C71A006598FCB24CF69C484EAEBBF5FF84351F168499E9169B262C770FC81CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAD18, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f23c92ca982c0d078dc576ce3092c73b9ffb3261dab94640882fce8c86e9e8
Instruction ID: 5a8daefb4e4b60066531530df87f3adcc0238d2aa987207aea2d94fc46e31888
Opcode Fuzzy Hash: 25f23c92ca982c0d078dc576ce3092c73b9ffb3261dab94640882fce8c86e9e8
Instruction Fuzzy Hash: 85713F70B002098BDB18ABB4D4647AE76F6AFC8344F24453CE946EB794EF75DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCBA20, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0c28b4d3cb7144a6bef0ccfa58049b915fca6282712126d1b87194736c2d44
Instruction ID: d4b22f14be681962388a2491a5be8d6157ba1f171e00941e9375aa91a9101ba4
Opcode Fuzzy Hash: 7f0c28b4d3cb7144a6bef0ccfa58049b915fca6282712126d1b87194736c2d44
Instruction Fuzzy Hash: C671EE347002058FCB24DF28C896FAE7BE6EF89701F1944A9E906CB2A1DB74DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3AC9, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7e86515546fab71ca806fdbc800c27c8ede07b4c7e95942fa89a75ff1f1796
Instruction ID: e11b30e9929574c1255a9afc90e99f4dd2a903b352cd44d5387cb8a1a8dc2102
Opcode Fuzzy Hash: 3c7e86515546fab71ca806fdbc800c27c8ede07b4c7e95942fa89a75ff1f1796
Instruction Fuzzy Hash: C0517A353046158FCB14DF39C884F6ABBE9FF49B5076584EEE506CB261EB21DE018B60

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCAA0, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a8806b1bdf1c3791975a97981ec6c713b42235f25ff107d8759615f698d535
Instruction ID: 90a6337816d44c727f87c50646016dcbc9349598509d2152a4440f896b682477
Opcode Fuzzy Hash: c0a8806b1bdf1c3791975a97981ec6c713b42235f25ff107d8759615f698d535
Instruction Fuzzy Hash: 04613B70E047498FDB15CFA5C580BEEBBF2EF99310F24869AD809AB251D770AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCCA90, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2425ab7151cf82fe6bc8b9ed9620ae16d0fa8120dd021a38234b8dc91b2cc27c
Instruction ID: b39fb0d148bd4316523b3ea81512d35ff34d4f1ce2576a26433695034787483e
Opcode Fuzzy Hash: 2425ab7151cf82fe6bc8b9ed9620ae16d0fa8120dd021a38234b8dc91b2cc27c
Instruction Fuzzy Hash: 0A513C70E047499FDB11CFA5C540AEEBFF2EF99300F24869AE849AB251D770AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00BCB006, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af86147a614aa4a1842331597994310888b9707e00e0fd5ec0080dc959507379
Instruction ID: cd5c9cde54dfdbc104d6ccbcbd41b6999a924a3dd26ad7027904212e1c22fdcd
Opcode Fuzzy Hash: af86147a614aa4a1842331597994310888b9707e00e0fd5ec0080dc959507379
Instruction Fuzzy Hash: 8A416270B002098FDB249BB4D459BBE76F6AF88704F24446DE846DB394DF79CC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCAAA8, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd89bde154048ff91d732764c68b4cb271a058d11d2a01fbac80143ae9f6d0d
Instruction ID: 7d9950d2d237b6e0ca9a3111cba4a8640e5177d7b16c869d7f298f1126882f3d
Opcode Fuzzy Hash: ecd89bde154048ff91d732764c68b4cb271a058d11d2a01fbac80143ae9f6d0d
Instruction Fuzzy Hash: FB418E30B002198BDF249BA8D990B6FB2F6EB85309F20496DE40ADB784DB35DC45C792

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC283, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7e76a7af7f0091c8eecd0ad765aa847172043f3841a5a30ab6494c42e590d7
Instruction ID: 938760aa9f235cce05e42d87e421ac0be2066921ac982f823757e9010b9c9e97
Opcode Fuzzy Hash: 8b7e76a7af7f0091c8eecd0ad765aa847172043f3841a5a30ab6494c42e590d7
Instruction Fuzzy Hash: 4B41BD30A04249DFCF15CFA4C850BAEBFF2EFA9315F108199E909AB291C330A914DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5500, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bada204be56a966ab5cfef187475ba9c305cba4b38420ef323ddfac20c28893
Instruction ID: 0c5c693b0857b81ecef786d294ce688a556919541a8aa35ecfe223006c4d4ed0
Opcode Fuzzy Hash: 7bada204be56a966ab5cfef187475ba9c305cba4b38420ef323ddfac20c28893
Instruction Fuzzy Hash: D94123713046559FCB259F28E854BAE3BE2EF89310F0544AEE94ACB352DB34DC52CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2618, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0670807cecc4e981f2de1256e082b2acb9910a5a1bdbed915a5a4d47c539413
Instruction ID: 0e5eaee44d3f219950c341bf817417242b362a996c5cd225269683bea73460c2
Opcode Fuzzy Hash: a0670807cecc4e981f2de1256e082b2acb9910a5a1bdbed915a5a4d47c539413
Instruction Fuzzy Hash: 7541BD30A00208DFDB15DF64C984BBEBBE6EB48314F0484AEE9159B251DB75DC55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC38D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72aa21920af9eb6c19b2c77b5a96d2fd06ce0056e513966b9601b876004d70d
Instruction ID: 0158ee5de6441b553256f229d7a725270c44c1e49ffb7bbf24415f96f477c022
Opcode Fuzzy Hash: b72aa21920af9eb6c19b2c77b5a96d2fd06ce0056e513966b9601b876004d70d
Instruction Fuzzy Hash: 174125747001158FCB049F29C888BAA7BF6FB88710F5085A9F9068B2A1CBB1DE50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC14A8, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03faf7706d755c4b38276162af977da45f04b1753a5af7f28b89d819db76e3d5
Instruction ID: ad15b84420d2df0b05b17efb1928b1181b7a33527cbe7681af091c3a651acb8c
Opcode Fuzzy Hash: 03faf7706d755c4b38276162af977da45f04b1753a5af7f28b89d819db76e3d5
Instruction Fuzzy Hash: A341933170010ADFCF45AF69D854BAF7BE6EF99300F148569FA0697251DB31CD219B90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3D08, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ad47a7b4bfbcafc509c5c9dead932877d60ce98dacb6df23ffa805e1f3dc40
Instruction ID: 0412cf36cc8b4076a999b0f80d79363f4c532ad84a7de03774013d7796fd612f
Opcode Fuzzy Hash: f2ad47a7b4bfbcafc509c5c9dead932877d60ce98dacb6df23ffa805e1f3dc40
Instruction Fuzzy Hash: E621B2307042164BDB252A258994B7D7BDBDF81F157A8C0BDD503CF391EE24CD426791

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d612f11d7de2cc9b58b5a191b3779c788ae445ef342a1cdaef5cbb7a886f505a
Instruction ID: f2d90f2ca6415a9a7d8687dbdf05b7f75a4ea4b8f1eb1336871f4e21f3fc1f43
Opcode Fuzzy Hash: d612f11d7de2cc9b58b5a191b3779c788ae445ef342a1cdaef5cbb7a886f505a
Instruction Fuzzy Hash: 6C21AF307002054BEB242A258994B7A3ADBDFC0B15BA4C0BDD503CF794EE25CD42A391

Uniqueness

Uniqueness Score: -1.00%

Function 00BC3C10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c8b1e2dc34a28134c771771cfc31f6dd20d8d01985aa74c52d0897a46d7ecc
Instruction ID: e8d2f26b00a7edb9b8ce970184826a0344e7e58a0ce89a9571ecbb327d727d02
Opcode Fuzzy Hash: 94c8b1e2dc34a28134c771771cfc31f6dd20d8d01985aa74c52d0897a46d7ecc
Instruction Fuzzy Hash: A121A0307042559BDB018F66D880FAFBBEAEB85B40B55C46AF912D7245DB35CE40D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC2608, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42744c9247012c30dab2af1f4872ddfbcaaff1234e6de48a23ab856549970f73
Instruction ID: 86795cacce288611403eaf298806e9fb59710bd0253cf917d127f3d73df0f254
Opcode Fuzzy Hash: 42744c9247012c30dab2af1f4872ddfbcaaff1234e6de48a23ab856549970f73
Instruction Fuzzy Hash: 87216A71A00208EFDB24DF54C948FAABBF6EB48314F04C4AEE5199B211D775ED54CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BC19F0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2401b42cfdcbea944d1907c9a2c20a7c9d069481749dc158d511201ea8593c9
Instruction ID: 3927b72dbed9c4c2e13477e0ded5a758ef835cf26f08c7119c30529fd2af8661
Opcode Fuzzy Hash: b2401b42cfdcbea944d1907c9a2c20a7c9d069481749dc158d511201ea8593c9
Instruction Fuzzy Hash: 2511C231702A118B87199A2EC494A7A77E6EFC675171549BCE916EB351DF30DC028780

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC368, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b362f8bd82b23775a12c7da93b53504a768ce4b2d89ed99c0eed3870e60db0
Instruction ID: a2e01698d35b913a283f92903b7bbf7d2ee27cbbeb65c29b239dab1e8131d8c5
Opcode Fuzzy Hash: 42b362f8bd82b23775a12c7da93b53504a768ce4b2d89ed99c0eed3870e60db0
Instruction Fuzzy Hash: 5711AC31A002459BCB14CF68C880F6EBFE2EFD5314F14C299E51CAB291D371E820C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00BCC360, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569e64f405a4b3954ff6beceae9677d2fd7f4003a6e1fc5dc2cfa79395772f9d
Instruction ID: 5b16e58a06e3445cbb5ecea1e130b04452b66f27431991f0c0da15f3c81cd3f6
Opcode Fuzzy Hash: 569e64f405a4b3954ff6beceae9677d2fd7f4003a6e1fc5dc2cfa79395772f9d
Instruction Fuzzy Hash: A021CD31A002459FDB14CF68D880FAEBFE2EFA4314F14C299D55CAB291D370A8658799

Uniqueness

Uniqueness Score: -1.00%

Function 00BC49B0, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02eafd566f8ae3bd7508fb3dc42f339d37834d38e9eeb04643f84c88ef6a538c
Instruction ID: 1b0766beed911308ed6b0f702abe38b82fda1ec68cb3118e3019f48e06cfc465
Opcode Fuzzy Hash: 02eafd566f8ae3bd7508fb3dc42f339d37834d38e9eeb04643f84c88ef6a538c
Instruction Fuzzy Hash: C2112E35B401049BDB14DF69D854B9EBBB6FB8C710F108569F916A7350DB71AD10CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD36F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf76d6d8812bbd44e8a4d34382123e17524967e74170fd0a8352e717067f415d
Instruction ID: 40d21bca4d774b6e76f41e7fb25614849097f26d6be57210dcf5bb9f0c9bcb4a
Opcode Fuzzy Hash: cf76d6d8812bbd44e8a4d34382123e17524967e74170fd0a8352e717067f415d
Instruction Fuzzy Hash: 63119E39B001149FCB14DE29A084F6EB7E2EB94321F1486BDE90A8B350DB70EC42C791

Uniqueness

Uniqueness Score: -1.00%

Function 00BC14F0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d0d3d190c8743f02ce2acbd7e9b88505cabf0140c90df6655fcd902be05588
Instruction ID: 50a4a8221feb044d193c17111fc77f6a98ad63bbbda39de77dee9fd646103c78
Opcode Fuzzy Hash: 72d0d3d190c8743f02ce2acbd7e9b88505cabf0140c90df6655fcd902be05588
Instruction Fuzzy Hash: C1118E316002199FCB10AF19E884FAA7BE5EBA9354F1045AAFD0A9B211CB31CD61DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC14EF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be92f9acda4c09952979410ea34896bc8309a05e26387437db9d5d54cd23481
Instruction ID: f906e84639a48788ac6e9365f63e034de0cffb3fcedda14249ad6576bf4afa7b
Opcode Fuzzy Hash: 8be92f9acda4c09952979410ea34896bc8309a05e26387437db9d5d54cd23481
Instruction Fuzzy Hash: 781170316001199FCB119F29E484FAE7BE1EBA9354F1045AAF90A9B211CB31CD66DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5448, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05c4725c7ddacfbd2dddfe33cd63c12619005d126d04932982e182e9c48b410
Instruction ID: 6c47ac1a0b151ef2673901aca8588c25e37fac4245c5072acc38236b3a355bec
Opcode Fuzzy Hash: b05c4725c7ddacfbd2dddfe33cd63c12619005d126d04932982e182e9c48b410
Instruction Fuzzy Hash: 5B116AB0E0025A9FCB14DFA99880BEEBBF5FF88301F10452AE955A3305D7349A55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC5698, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612e0ac2a2cb480f8a44ff4b433d20313b8c722bbf073e4ff92d42be5e25e333
Instruction ID: 3e384ee5f38e394b9fe5d280ebffc0a42336d3a195456178917d9593ee7c5c6c
Opcode Fuzzy Hash: 612e0ac2a2cb480f8a44ff4b433d20313b8c722bbf073e4ff92d42be5e25e333
Instruction Fuzzy Hash: FF01D235F01A10CBEB349EA48080BAEB3E6EBC5354B2484FED8455F300DB31AC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA698, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e114d05cf7b8139198f541533782434766a3ec55665ee6f9469fc12ab1ea8aca
Instruction ID: 6c37ea37f54c8d0fb3fc00fe22cb806e201c8962499b30f5d9d9876d5fc0c642
Opcode Fuzzy Hash: e114d05cf7b8139198f541533782434766a3ec55665ee6f9469fc12ab1ea8aca
Instruction Fuzzy Hash: A5018FB5F002148FD790DA689845BEE37F6FB98310F2580BAE21DE7344E634CD028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1637, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f6ac0ee0b3732bbf3aecac8e5dea887ef197ba997d55be9a3ea23b436e4333
Instruction ID: b2498d57fc91af1c45003000dbec5c1f3d6a5d958974d69ec6988c11ad7a1fed
Opcode Fuzzy Hash: 29f6ac0ee0b3732bbf3aecac8e5dea887ef197ba997d55be9a3ea23b436e4333
Instruction Fuzzy Hash: 46012672B000156F8F558E689810BFF3BE7EBC8350B198169FA05D7240CA318C128B90

Uniqueness

Uniqueness Score: -1.00%

Function 00BC54FF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6d0e772f5587fb69ff564619851876d4129cf61cb015b0e759ce0cef6acf9c
Instruction ID: a2db0948a05aea4329e7a012059bcbb21b1f65ec3a3ca0c32ab0350c4be07463
Opcode Fuzzy Hash: 4a6d0e772f5587fb69ff564619851876d4129cf61cb015b0e759ce0cef6acf9c
Instruction Fuzzy Hash: CD0162717005059FC724DF1AE494BAA77E3EFE8320B158069E54ACB351DA31DC528750

Uniqueness

Uniqueness Score: -1.00%

Function 00BCA6A8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75ac182756ee85bad555a57a8079de62eace375ff8ba815ec6c45083ab16a98
Instruction ID: 1ac569d7c9468ccae573f89e27fab818699755de3890e73cb1aafdf37a4b6698
Opcode Fuzzy Hash: a75ac182756ee85bad555a57a8079de62eace375ff8ba815ec6c45083ab16a98
Instruction Fuzzy Hash: 14E01275E102199F47509BAD98055AF7AF9EA88621B514476E519E3200EB3449019BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1AC0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d59a593ecc067fb1fb7762a27f17c8d21db337de9f71809e74bf696dd38e0d
Instruction ID: bea68e9dca1cec1aaec82e704da4d3f1c05c401cb8416f6b66e8885c78345e94
Opcode Fuzzy Hash: 54d59a593ecc067fb1fb7762a27f17c8d21db337de9f71809e74bf696dd38e0d
Instruction Fuzzy Hash: E6E07D7360D1614FC313072CB4002963B90D7833A171147E3EA99FB702CD20DC4093C0

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1D70, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a14591e3dd8bbbcd05b9ac64ab316a079e728c9b647e445d2ca2e3f774f3f5e
Instruction ID: f35cd2fcfc0e3c7d832799f714364557a4fb7d926ef663f0bee5fa13e2fcc029
Opcode Fuzzy Hash: 7a14591e3dd8bbbcd05b9ac64ab316a079e728c9b647e445d2ca2e3f774f3f5e
Instruction Fuzzy Hash: E5E0C2B000C3854FD743BB78A4609C5BB35DF8334830ACEE6C1068A13BDBB16D099792

Uniqueness

Uniqueness Score: -1.00%

Function 00BC4890, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 55a5276263dfc39b2238c91a29f094eb02fa69203e65c14838dd98baae974faf
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: ABC08C3360C1386EA624108F7C90FA3BBCCC3C13B5E2502BBF51CC720098829C8001F5

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9d84d4aee43f6cfc08f165c2fbe74c15ab034006abdfebbf61dca26ee01d31
Instruction ID: 935d98b04d0fb06962c79aa7ac0606ce1f430f5597ebf5a6cfd94bd58684959e
Opcode Fuzzy Hash: bc9d84d4aee43f6cfc08f165c2fbe74c15ab034006abdfebbf61dca26ee01d31
Instruction Fuzzy Hash: 02C0127005C219478680FB75E481556333E5B8224C341CE61D10A49239DFB169058786

Uniqueness

Uniqueness Score: -1.00%

Function 00BC1D7F, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ff291d9d70fc15c0e7cd536b69b56e1b596d5493a8715f8c7a4263d2f87aa3
Instruction ID: cd679c3c8fbea9fffdee309bd15402c119a2e6e30a1ff1e5a5fc6658edbe3e22
Opcode Fuzzy Hash: 24ff291d9d70fc15c0e7cd536b69b56e1b596d5493a8715f8c7a4263d2f87aa3
Instruction Fuzzy Hash: 80D0127045C25547CB80FB75E4D14EA3B369B8224C301CF61D5478923ADFB2590ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 00BCF7E1, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.464612373.0000000000BC0000.00000040.00000001.sdmp, Offset: 00BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e1e7465015a4aef62cba1f13b0b9436e753930400b8d3c1d23777f5d815688
Instruction ID: 3223ce57b906ae1fffaae743666301b272ba8b3c70b71262abaef615ada1ec06
Opcode Fuzzy Hash: 16e1e7465015a4aef62cba1f13b0b9436e753930400b8d3c1d23777f5d815688
Instruction Fuzzy Hash: 25C04C5654E7C44FD71792346DB43547FB26D6720579E08DBC8C1CB6E3D20C890C9326

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Following abusive email letter .exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre