Play interactive tour

Edit tour

Analysis Report OMANTECH PRODUCTS.exe

Overview

General Information

Sample Name:	OMANTECH PRODUCTS.exe
Analysis ID:	433265
MD5:	1603b2e2474ac57ba3ee0ae98357b50c
SHA1:	a50dbd334f5d9a67c51b399dfc9c8b44b5514e59
SHA256:	1e718cc81b172505bab7576339bb954e9911c79c95c67430355afc493d075a2e
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

OMANTECH PRODUCTS.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\OMANTECH PRODUCTS.exe' MD5: 1603B2E2474AC57BA3EE0AE98357B50C)

OMANTECH PRODUCTS.exe (PID: 6844 cmdline: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe MD5: 1603B2E2474AC57BA3EE0AE98357B50C)

EupFNx.exe (PID: 6336 cmdline: 'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe' MD5: 1603B2E2474AC57BA3EE0AE98357B50C)

EupFNx.exe (PID: 6488 cmdline: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe MD5: 1603B2E2474AC57BA3EE0AE98357B50C)

EupFNx.exe (PID: 6568 cmdline: 'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe' MD5: 1603B2E2474AC57BA3EE0AE98357B50C)

EupFNx.exe (PID: 5916 cmdline: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe MD5: 1603B2E2474AC57BA3EE0AE98357B50C)

EupFNx.exe (PID: 5808 cmdline: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe MD5: 1603B2E2474AC57BA3EE0AE98357B50C)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "jokelogs@omnlltd.comE#@Dfb$LbM)Mserver126.web-hosting.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EupFNx.exe PID: 5808	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: EupFNx.exe PID: 5808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EupFNx.exe PID: 6568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: EupFNx.exe PID: 6568	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EupFNx.exe PID: 6336	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: EupFNx.exe PID: 6336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EupFNx.exe PID: 6488	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: EupFNx.exe PID: 6488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 33 entries

Unpacked PEs

Source	Rule	Description	Author
17.2.EupFNx.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17.2.EupFNx.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
7.2.EupFNx.exe.4573e38.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.EupFNx.exe.4573e38.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.OMANTECH PRODUCTS.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.OMANTECH PRODUCTS.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.2.OMANTECH PRODUCTS.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.OMANTECH PRODUCTS.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
17.0.EupFNx.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17.0.EupFNx.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.2.EupFNx.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.EupFNx.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
9.0.EupFNx.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.0.EupFNx.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
11.2.EupFNx.exe.3ab3e38.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.EupFNx.exe.3ab3e38.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
7.2.EupFNx.exe.4573e38.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.EupFNx.exe.4573e38.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
11.2.EupFNx.exe.3ab3e38.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.EupFNx.exe.3ab3e38.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 19 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jokelogs@omnlltd.comE#@Dfb$LbM)Mserver126.web-hosting.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

ReversingLabs: Detection: 30%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: OMANTECH PRODUCTS.exe

Joe Sandbox ML: detected

Source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 17.2.EupFNx.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 17.0.EupFNx.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.2.EupFNx.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 9.0.EupFNx.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Source: OMANTECH PRODUCTS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: OMANTECH PRODUCTS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: LongPathFile.pdb source: EupFNx.exe, OMANTECH PRODUCTS.exe

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B22258
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B23578
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B23568
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04B22249
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03372258
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03372249
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03373578
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	7_2_03373568
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C2370
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C235F
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C3680
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	11_2_010C3690

Source: global traffic

TCP traffic: 192.168.2.6:49743 -> 198.54.126.165:587

Source: Joe Sandbox View

IP Address: 198.54.126.165 198.54.126.165

Source: global traffic

TCP traffic: 192.168.2.6:49743 -> 198.54.126.165:587

Source: unknown

DNS traffic detected: queries for: server126.web-hosting.com

Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0-
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://ronNgX.com
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000003.537622624.0000000001574000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000002.593596516.0000000003631000.00000004.00000001.sdmp	String found in binary or memory: http://sAxmBjuRp77zUAl6sU9.org
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328176976.0000000002AE1000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414659740.00000000034B1000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442743867.00000000029F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.594511046.00000000036AB000.00000004.00000001.sdmp	String found in binary or memory: http://server126.web-hosting.com
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, EupFNx.exe, 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, EupFNx.exe, 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Jump to behavior

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.326481971.0000000000DC8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bD1D586A5u002dBBB8u002d4D80u002d8A68u002dB4F10A1C11D2u007d/F1FEFAAAu002dEDA3u002d48EDu002d89D2u002dAD0DD330AFD0.cs	Large array initialization: .cctor: array initializer size 11931
Source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD1D586A5u002dBBB8u002d4D80u002d8A68u002dB4F10A1C11D2u007d/F1FEFAAAu002dEDA3u002d48EDu002d89D2u002dAD0DD330AFD0.cs	Large array initialization: .cctor: array initializer size 11931

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B5AC	1_2_0112B5AC
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112E470	1_2_0112E470
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112CA2B	1_2_0112CA2B
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B1E0	1_2_0112B1E0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112B5A0	1_2_0112B5A0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B21924	1_2_04B21924
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B20006	1_2_04B20006
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_04B20040	1_2_04B20040
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0505A100	1_2_0505A100
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0505A0F3	1_2_0505A0F3
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017368B0	3_2_017368B0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01735B50	3_2_01735B50
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173E2C8	3_2_0173E2C8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01777DC4	3_2_01777DC4
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01770040	3_2_01770040
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017747F8	3_2_017747F8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177C668	3_2_0177C668
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177CDA8	3_2_0177CDA8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01770012	3_2_01770012
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01776C08	3_2_01776C08
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_017718D8	3_2_017718D8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0177CEA8	3_2_0177CEA8
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_018746A0	3_2_018746A0
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01874690	3_2_01874690
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_01874650	3_2_01874650
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0187D981	3_2_0187D981
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_06771F68	3_2_06771F68
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03371924	7_2_03371924
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03370036	7_2_03370036
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_03370040	7_2_03370040
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343CA00	7_2_0343CA00
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343B1E0	7_2_0343B1E0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_059BA100	7_2_059BA100
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_059BA0F2	7_2_059BA0F2
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_015746A0	9_2_015746A0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_015745B0	9_2_015745B0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0157D981	9_2_0157D981
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A94F8	9_2_063A94F8
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A7540	9_2_063A7540
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063AB0E8	9_2_063AB0E8
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A6928	9_2_063A6928
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_063A6C70	9_2_063A6C70
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEE450	11_2_00CEE450
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB5AC	11_2_00CEB5AC
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CE9B08	11_2_00CE9B08
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEE470	11_2_00CEE470
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CECA2B	11_2_00CECA2B
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB1E0	11_2_00CEB1E0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEB5A0	11_2_00CEB5A0
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C1A3C	11_2_010C1A3C
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C0006	11_2_010C0006
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_010C0040	11_2_010C0040

Source: OMANTECH PRODUCTS.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: EupFNx.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameyGtvOASYWvwbdmbUlBZRzUUheXIDKFJfdPWsWBv.exe4 vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.326481971.0000000000DC8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000001.00000000.316936742.00000000007A0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000000.324326070.0000000001030000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameyGtvOASYWvwbdmbUlBZRzUUheXIDKFJfdPWsWBv.exe4 vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590174499.0000000001760000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590230809.0000000001780000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.590385601.00000000017F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.583527597.00000000011D8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs OMANTECH PRODUCTS.exe
Source: OMANTECH PRODUCTS.exe	Binary or memory string: OriginalFilenameLongPathFile.exe< vs OMANTECH PRODUCTS.exe

Source: OMANTECH PRODUCTS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: OMANTECH PRODUCTS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: EupFNx.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/5@2/1

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OMANTECH PRODUCTS.exe.log

Jump to behavior

Source: OMANTECH PRODUCTS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File read: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe 'C:\Users\user\Desktop\OMANTECH PRODUCTS.exe'
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe 'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe'
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe 'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe'
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: OMANTECH PRODUCTS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: OMANTECH PRODUCTS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: OMANTECH PRODUCTS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: LongPathFile.pdb source: EupFNx.exe, OMANTECH PRODUCTS.exe

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 1_2_0112EC90 push eax; ret	1_2_0112EC91
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173B597 push edi; retn 0000h	3_2_0173B599
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0173D4F8 pushad ; iretd	3_2_0173D541
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0181E333 push eax; ret	3_2_0181E349
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Code function: 3_2_0181D95C push eax; ret	3_2_0181D95D
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 7_2_0343EC90 push eax; ret	7_2_0343EC91
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0151D95C push eax; ret	9_2_0151D95D
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 9_2_0151E348 push eax; ret	9_2_0151E349
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Code function: 11_2_00CEEC90 push eax; ret	11_2_00CEEC91

Source: initial sample	Static PE information: section name: .text entropy: 7.85494493931
Source: initial sample	Static PE information: section name: .text entropy: 7.85494493931

Source: OMANTECH PRODUCTS.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.0.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 1.2.OMANTECH PRODUCTS.exe.6c0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: EupFNx.exe.3.dr, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.2.OMANTECH PRODUCTS.exe.f50000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.OMANTECH PRODUCTS.exe.f50000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'y6nMEm', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Jump to dropped file

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EupFNx			Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EupFNx			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

File opened: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Code function: 1_2_006C3C35 sldt word ptr [eax]

1_2_006C3C35

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Window / User API: threadDelayed 9598	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 559	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 1393	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Window / User API: threadDelayed 8417	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6700	Thread sleep time: -102952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6760	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 4844	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6164	Thread sleep count: 239 > 30	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe TID: 6164	Thread sleep count: 9598 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6332	Thread sleep time: -101189s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6064	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5676	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5676	Thread sleep count: 559 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6444	Thread sleep time: -99633s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 6816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5528	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 1420	Thread sleep count: 1393 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 1420	Thread sleep count: 8417 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe TID: 5528	Thread sleep count: 42 > 30	Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 102952	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 101189	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 99633	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Code function: 3_2_01730A76 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,

3_2_01730A76

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Process created: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Process created: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Jump to behavior

Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: OMANTECH PRODUCTS.exe, 00000003.00000002.591063778.0000000001D50000.00000002.00000001.sdmp, EupFNx.exe, 00000011.00000002.590101786.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe

Code function: 9_2_063A5A94 GetUserNameW,

9_2_063A5A94

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\OMANTECH PRODUCTS.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6844, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 5808, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6568, type: MEMORY
Source: Yara match	File source: Process Memory Space: OMANTECH PRODUCTS.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6336, type: MEMORY
Source: Yara match	File source: Process Memory Space: EupFNx.exe PID: 6488, type: MEMORY
Source: Yara match	File source: 17.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.OMANTECH PRODUCTS.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.OMANTECH PRODUCTS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.EupFNx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.EupFNx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.EupFNx.exe.4573e38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.EupFNx.exe.3ab3e38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OMANTECH PRODUCTS.exe.3ba3e38.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection12	Disable or Modify Tools1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information1	Input Capture111	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Security Software Discovery311	Distributed Component Object Model	Input Capture111	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion141	Cached Domain Credentials	Virtualization/Sandbox Evasion141	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection12	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OMANTECH PRODUCTS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe	30%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.OMANTECH PRODUCTS.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File
17.2.EupFNx.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
3.2.OMANTECH PRODUCTS.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
17.0.EupFNx.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File
9.2.EupFNx.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
9.0.EupFNx.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://ronNgX.com	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0-	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://sAxmBjuRp77zUAl6sU9.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
server126.web-hosting.com	198.54.126.165	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ronNgX.com	EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0-	OMANTECH PRODUCTS.exe, 00000003.00000002.598121188.0000000006C04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	EupFNx.exe, 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://server126.web-hosting.com	OMANTECH PRODUCTS.exe, 00000003.00000002.594511046.00000000036AB000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	OMANTECH PRODUCTS.exe, 00000001.00000002.328176976.0000000002AE1000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414659740.00000000034B1000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442743867.00000000029F1000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	OMANTECH PRODUCTS.exe, 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, EupFNx.exe, 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, EupFNx.exe, 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, EupFNx.exe, 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, EupFNx.exe, 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	OMANTECH PRODUCTS.exe, 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, EupFNx.exe, 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, EupFNx.exe, 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp	false		high
https://api.ipify.org%$	OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://sAxmBjuRp77zUAl6sU9.org	OMANTECH PRODUCTS.exe, 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000003.537622624.0000000001574000.00000004.00000001.sdmp, OMANTECH PRODUCTS.exe, 00000003.00000002.593596516.0000000003631000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.126.165	server126.web-hosting.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433265
Start date:	11.06.2021
Start time:	14:59:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	OMANTECH PRODUCTS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/5@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.4%) Quality average: 38.1% Quality standard deviation: 43.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 142 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 92.122.145.220, 13.88.21.125, 20.82.209.183, 8.241.82.126, 8.238.36.126, 8.238.30.254, 8.238.29.126, 8.238.27.126, 20.54.7.98, 20.54.26.129, 92.122.213.247, 92.122.213.194, 184.30.20.56, 20.50.102.62 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:00:03	API Interceptor	759x Sleep call for process: OMANTECH PRODUCTS.exe modified
15:00:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run EupFNx C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
15:00:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run EupFNx C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
15:00:43	API Interceptor	338x Sleep call for process: EupFNx.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
198.54.126.165	TWO NEW QUOTATION.exe	Get hash	malicious	Browse
	GOE2103001 SHPT.exe	Get hash	malicious	Browse
	VVw0lC8P5l.exe	Get hash	malicious	Browse
	14776260521.pdf.exe	Get hash	malicious	Browse
	PO_20211153 Dt-241.exe	Get hash	malicious	Browse
	INV-257591_77134027.pdf.exe	Get hash	malicious	Browse
	PO 100251 05202021.exe	Get hash	malicious	Browse
	7b1371c7_by_Libranalysis.exe	Get hash	malicious	Browse
	Purchase Order.exe	Get hash	malicious	Browse
	specifications.exe	Get hash	malicious	Browse
	cargo details.exe	Get hash	malicious	Browse
	Import shipment.exe	Get hash	malicious	Browse
	PROJECT SPECIFICATION.exe	Get hash	malicious	Browse
	customer request.exe	Get hash	malicious	Browse
	Import shipment.exe	Get hash	malicious	Browse
	PURCHASE ORDER.exe	Get hash	malicious	Browse
	MV BBG WUZHOU.exe	Get hash	malicious	Browse
	products & catalog.exe	Get hash	malicious	Browse
	Bunker Form 1.exe	Get hash	malicious	Browse
	new purchase order.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
server126.web-hosting.com	TWO NEW QUOTATION.exe	Get hash	malicious	Browse	198.54.126.165
	GOE2103001 SHPT.exe	Get hash	malicious	Browse	198.54.126.165
	VVw0lC8P5l.exe	Get hash	malicious	Browse	198.54.126.165
	14776260521.pdf.exe	Get hash	malicious	Browse	198.54.126.165
	PO_20211153 Dt-241.exe	Get hash	malicious	Browse	198.54.126.165
	INV-257591_77134027.pdf.exe	Get hash	malicious	Browse	198.54.126.165
	PO 100251 05202021.exe	Get hash	malicious	Browse	198.54.126.165
	7b1371c7_by_Libranalysis.exe	Get hash	malicious	Browse	198.54.126.165
	Purchase Order.exe	Get hash	malicious	Browse	198.54.126.165
	specifications.exe	Get hash	malicious	Browse	198.54.126.165
	cargo details.exe	Get hash	malicious	Browse	198.54.126.165
	Import shipment.exe	Get hash	malicious	Browse	198.54.126.165
	PROJECT SPECIFICATION.exe	Get hash	malicious	Browse	198.54.126.165
	customer request.exe	Get hash	malicious	Browse	198.54.126.165
	Import shipment.exe	Get hash	malicious	Browse	198.54.126.165
	PURCHASE ORDER.exe	Get hash	malicious	Browse	198.54.126.165
	MV BBG WUZHOU.exe	Get hash	malicious	Browse	198.54.126.165
	products & catalog.exe	Get hash	malicious	Browse	198.54.126.165
	Bunker Form 1.exe	Get hash	malicious	Browse	198.54.126.165
	new purchase order.exe	Get hash	malicious	Browse	198.54.126.165

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	main_setup_x86x64.exe	Get hash	malicious	Browse	198.54.116.159
	b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exe	Get hash	malicious	Browse	198.54.116.159
	w4X8dxtGi6.exe	Get hash	malicious	Browse	198.54.116.159
	c71fd2gJus.exe	Get hash	malicious	Browse	198.54.116.159
	BrBsL8sBvm.exe	Get hash	malicious	Browse	198.54.116.159
	bL6FwQU4K5.exe	Get hash	malicious	Browse	198.54.126.101
	E1a92ARmPw.exe	Get hash	malicious	Browse	198.54.116.159
	crt9O3URua.exe	Get hash	malicious	Browse	198.54.116.159
	E1a92ARmPw.exe	Get hash	malicious	Browse	198.54.116.159
	3JDjILxXaA.exe	Get hash	malicious	Browse	198.54.116.159
	SecuriteInfo.com.Heur.23766.xls	Get hash	malicious	Browse	68.65.122.53
	#Ud83d#Udce9-peter.nash.htm	Get hash	malicious	Browse	185.61.154.34
	lTAPQJikGw.exe	Get hash	malicious	Browse	198.54.117.216
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	162.0.229.108
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	68.65.122.148
	3arZKnr21W.exe	Get hash	malicious	Browse	198.54.116.180
	hdOkhI5TaNNo08q.exe	Get hash	malicious	Browse	198.54.122.60
	PO187439.exe	Get hash	malicious	Browse	198.54.117.217
	Nr_0052801.exe	Get hash	malicious	Browse	198.54.122.60
	Yl6482CO6U.exe	Get hash	malicious	Browse	198.54.126.101

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EupFNx.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OMANTECH PRODUCTS.exe.log Download File
Process:	C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe Download File
Process:	C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	958464
Entropy (8bit):	7.51111975155998
Encrypted:	false
SSDEEP:	24576:0UlxWPIid63/m5+tSH0exuIwBB+NeBUdt:luPtf5600EuI4+wBU
MD5:	1603B2E2474AC57BA3EE0AE98357B50C
SHA1:	A50DBD334F5D9A67C51B399DFC9C8B44B5514E59
SHA-256:	1E718CC81B172505BAB7576339BB954E9911C79C95C67430355AFC493D075A2E
SHA-512:	40FE6DC78C4CBA912E7BDAB62B50D74B70B5247855A4B0C3282361F73717FFCACA986226B5EF02A8AA79F691E1FA379CAD0F7FB8518EF8D9807A2F35CE1D609C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..`................................. ... ....@.. ....................... ............@.....................................K....@..............................?................................................ ............... ..H............text........ ...................... ..`.sdata....... ......................@....rsrc........@......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\a0rwr13c.dji\Chrome\Default\Cookies Download File
Process:	C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	modified
Size (bytes):	20480
Entropy (8bit):	0.6951152985249047
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
MD5:	EA7F9615D77815B5FFF7C15179C6C560
SHA1:	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
SHA-256:	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
SHA-512:	9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.51111975155998
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	OMANTECH PRODUCTS.exe
File size:	958464
MD5:	1603b2e2474ac57ba3ee0ae98357b50c
SHA1:	a50dbd334f5d9a67c51b399dfc9c8b44b5514e59
SHA256:	1e718cc81b172505bab7576339bb954e9911c79c95c67430355afc493d075a2e
SHA512:	40fe6dc78c4cba912e7bdab62b50d74b70b5247855a4b0c3282361f73717ffcaca986226b5ef02a8aa79f691e1fa379cad0f7fb8518ef8d9807a2f35ce1d609c
SSDEEP:	24576:0UlxWPIid63/m5+tSH0exuIwBB+NeBUdt:luPtf5600EuI4+wBU
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..`................................. ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	8c8caa8e9692aa00

Static PE Info

General
Entrypoint:	0x4c12de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60C2A252 [Thu Jun 10 23:37:54 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc1290	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x2a388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc123f	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbf2e4	0xbf400	False	0.896582669526	data	7.85494493931	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xc2000	0x1e8	0x200	False	0.861328125	data	6.63158586032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x2a388	0x2a400	False	0.12430658284	data	4.17143589292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc42b0	0x2326	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xc65d8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd6e00	0x94a8	data
RT_ICON	0xe02a8	0x5488	data
RT_ICON	0xe5730	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xe9958	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xebf00	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xecfa8	0x988	data
RT_ICON	0xed930	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xedd98	0x84	data
RT_VERSION	0xede1c	0x380	data
RT_MANIFEST	0xee19c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Paul Harris 2016
Assembly Version	251.2.0.0
InternalName	LongPathFile.exe
FileVersion	251.2.0.0
CompanyName	Paul Harris
LegalTrademarks
Comments	1992 Alpine A 610
ProductName	ReloadManager
ProductVersion	251.2.0.0
FileDescription	ReloadManager
OriginalFilename	LongPathFile.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 15:01:55.085263014 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:55.284054041 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:55.284209013 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:55.677628040 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:55.678328037 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:55.875596046 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:55.876219988 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:56.075303078 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:56.122215033 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:56.173435926 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:56.380187988 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:56.380245924 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:56.380259991 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:56.380265951 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:56.380455017 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:56.382270098 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:56.414949894 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:56.610953093 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:56.655080080 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:57.046657085 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:57.241547108 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:57.243524075 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:57.439302921 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:57.439980984 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:57.654495955 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:57.657738924 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:57.852819920 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:57.853586912 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:58.056112051 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:58.056803942 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:58.251444101 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:58.252877951 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:58.253081083 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:58.253676891 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:58.253767967 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:01:58.455741882 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:58.455816031 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:58.455847025 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:58.455859900 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:58.474677086 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:01:58.528070927 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:01.675162077 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:01.873853922 CEST	587	49743	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:01.875093937 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:02.101202965 CEST	49743	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:02.676961899 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:02.871874094 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:02.872131109 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:03.130382061 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.130775928 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:03.325664043 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.326008081 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:03.524975061 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.525688887 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:03.732376099 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.732419014 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.732439995 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.732456923 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.732531071 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:03.732600927 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:03.738821983 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.745078087 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:03.941951036 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:03.944365978 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:04.139537096 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:04.140377998 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:04.337997913 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:04.339658022 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:04.541134119 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:04.541941881 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:04.737189054 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:04.738184929 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:04.937275887 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:04.937793016 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.132406950 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.134596109 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.134886026 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.135159016 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.135360956 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.135727882 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.135929108 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.136111975 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.136291981 CEST	49744	587	192.168.2.6	198.54.126.165
Jun 11, 2021 15:02:05.329267979 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.329303026 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.329777002 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.329838991 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.330250978 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.330271006 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.330318928 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.330523968 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.330724001 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.334728956 CEST	587	49744	198.54.126.165	192.168.2.6
Jun 11, 2021 15:02:05.388283014 CEST	49744	587	192.168.2.6	198.54.126.165

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 14:59:55.022232056 CEST	55074	53	192.168.2.6	8.8.8.8
Jun 11, 2021 14:59:55.072288036 CEST	53	55074	8.8.8.8	192.168.2.6
Jun 11, 2021 14:59:56.311057091 CEST	54513	53	192.168.2.6	8.8.8.8
Jun 11, 2021 14:59:56.374510050 CEST	53	54513	8.8.8.8	192.168.2.6
Jun 11, 2021 14:59:56.942980051 CEST	62044	53	192.168.2.6	8.8.8.8
Jun 11, 2021 14:59:56.993257046 CEST	53	62044	8.8.8.8	192.168.2.6
Jun 11, 2021 14:59:58.213568926 CEST	63791	53	192.168.2.6	8.8.8.8
Jun 11, 2021 14:59:58.264308929 CEST	53	63791	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:00.521851063 CEST	64267	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:00.572022915 CEST	53	64267	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:01.877649069 CEST	49448	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:01.927808046 CEST	53	49448	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:02.923064947 CEST	60342	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:02.976911068 CEST	53	60342	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:04.145700932 CEST	61346	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:04.196264029 CEST	53	61346	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:05.436707973 CEST	51774	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:05.486831903 CEST	53	51774	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:07.448662996 CEST	56023	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:07.499183893 CEST	53	56023	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:08.357774973 CEST	58384	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:08.416743040 CEST	53	58384	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:09.304156065 CEST	60261	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:09.354496002 CEST	53	60261	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:10.118546009 CEST	56061	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:10.171478033 CEST	53	56061	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:10.952708006 CEST	58336	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:11.003302097 CEST	53	58336	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:12.104132891 CEST	53781	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:12.154211044 CEST	53	53781	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:13.261440039 CEST	54064	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:13.311768055 CEST	53	54064	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:14.403825998 CEST	52811	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:14.462569952 CEST	53	52811	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:16.544492006 CEST	55299	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:16.599930048 CEST	53	55299	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:30.421091080 CEST	63745	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:30.481276989 CEST	53	63745	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:49.434771061 CEST	50055	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:49.496536016 CEST	53	50055	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:53.416724920 CEST	61374	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:53.548850060 CEST	53	61374	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:55.055742979 CEST	50339	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:55.267226934 CEST	53	50339	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:57.606458902 CEST	63307	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:57.668220997 CEST	53	63307	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:58.145912886 CEST	49694	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:58.150746107 CEST	54982	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:58.208421946 CEST	53	49694	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:58.224467993 CEST	53	54982	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:58.904201031 CEST	50010	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:58.962956905 CEST	53	50010	8.8.8.8	192.168.2.6
Jun 11, 2021 15:00:59.887779951 CEST	63718	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:00:59.947890997 CEST	53	63718	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:00.485934973 CEST	62116	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:00.547477007 CEST	53	62116	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:01.491364956 CEST	63816	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:01.551795959 CEST	53	63816	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:02.633790016 CEST	55014	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:02.692554951 CEST	53	55014	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:03.289082050 CEST	62208	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:03.348937035 CEST	53	62208	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:07.483488083 CEST	57574	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:07.542634964 CEST	53	57574	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:37.503703117 CEST	51818	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:37.582582951 CEST	53	51818	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:38.755808115 CEST	56628	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:38.817310095 CEST	53	56628	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:40.263617039 CEST	60778	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:40.333080053 CEST	53	60778	8.8.8.8	192.168.2.6
Jun 11, 2021 15:01:54.840763092 CEST	53799	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:01:54.919526100 CEST	53	53799	8.8.8.8	192.168.2.6
Jun 11, 2021 15:02:02.612732887 CEST	54683	53	192.168.2.6	8.8.8.8
Jun 11, 2021 15:02:02.674289942 CEST	53	54683	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 11, 2021 15:01:54.840763092 CEST	192.168.2.6	8.8.8.8	0xae1	Standard query (0)	server126.web-hosting.com	A (IP address)	IN (0x0001)
Jun 11, 2021 15:02:02.612732887 CEST	192.168.2.6	8.8.8.8	0x520d	Standard query (0)	server126.web-hosting.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 11, 2021 15:01:54.919526100 CEST	8.8.8.8	192.168.2.6	0xae1	No error (0)	server126.web-hosting.com		198.54.126.165	A (IP address)	IN (0x0001)
Jun 11, 2021 15:02:02.674289942 CEST	8.8.8.8	192.168.2.6	0x520d	No error (0)	server126.web-hosting.com		198.54.126.165	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 11, 2021 15:01:55.677628040 CEST	587	49743	198.54.126.165	192.168.2.6	220-server126.web-hosting.com ESMTP Exim 4.94.2 #2 Fri, 11 Jun 2021 09:01:55 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 11, 2021 15:01:55.678328037 CEST	49743	587	192.168.2.6	198.54.126.165	EHLO 019635
Jun 11, 2021 15:01:55.875596046 CEST	587	49743	198.54.126.165	192.168.2.6	250-server126.web-hosting.com Hello 019635 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jun 11, 2021 15:01:55.876219988 CEST	49743	587	192.168.2.6	198.54.126.165	STARTTLS
Jun 11, 2021 15:01:56.075303078 CEST	587	49743	198.54.126.165	192.168.2.6	220 TLS go ahead
Jun 11, 2021 15:02:03.130382061 CEST	587	49744	198.54.126.165	192.168.2.6	220-server126.web-hosting.com ESMTP Exim 4.94.2 #2 Fri, 11 Jun 2021 09:02:03 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 11, 2021 15:02:03.130775928 CEST	49744	587	192.168.2.6	198.54.126.165	EHLO 019635
Jun 11, 2021 15:02:03.325664043 CEST	587	49744	198.54.126.165	192.168.2.6	250-server126.web-hosting.com Hello 019635 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jun 11, 2021 15:02:03.326008081 CEST	49744	587	192.168.2.6	198.54.126.165	STARTTLS
Jun 11, 2021 15:02:03.524975061 CEST	587	49744	198.54.126.165	192.168.2.6	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OMANTECH PRODUCTS.exe PID: 6696 Parent PID: 5936

General

Start time:	15:00:01
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\OMANTECH PRODUCTS.exe'
Imagebase:	0x6c0000
File size:	958464 bytes
MD5 hash:	1603B2E2474AC57BA3EE0AE98357B50C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.328789854.0000000003AE9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.328280994.0000000002B1F000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: OMANTECH PRODUCTS.exe PID: 6844 Parent PID: 6696

General

Start time:	15:00:04
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\OMANTECH PRODUCTS.exe
Imagebase:	0xf50000
File size:	958464 bytes
MD5 hash:	1603B2E2474AC57BA3EE0AE98357B50C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.582625158.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.324134931.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.591441667.0000000003301000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: EupFNx.exe PID: 6336 Parent PID: 3440

General

Start time:	15:00:41
Start date:	11/06/2021
Path:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe'
Imagebase:	0xed0000
File size:	958464 bytes
MD5 hash:	1603B2E2474AC57BA3EE0AE98357B50C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.414812031.00000000034EF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.415888638.00000000044B9000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: EupFNx.exe PID: 6488 Parent PID: 6336

General

Start time:	15:00:45
Start date:	11/06/2021
Path:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Imagebase:	0xd60000
File size:	958464 bytes
MD5 hash:	1603B2E2474AC57BA3EE0AE98357B50C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.446184699.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.411469581.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.443402056.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: EupFNx.exe PID: 6568 Parent PID: 3440

General

Start time:	15:00:49
Start date:	11/06/2021
Path:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe'
Imagebase:	0x570000
File size:	958464 bytes
MD5 hash:	1603B2E2474AC57BA3EE0AE98357B50C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000002.443519142.00000000039F9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.442857843.0000000002A2F000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: EupFNx.exe PID: 5916 Parent PID: 6568

General

Start time:	15:00:55
Start date:	11/06/2021
Path:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Imagebase:	0x3b0000
File size:	958464 bytes
MD5 hash:	1603B2E2474AC57BA3EE0AE98357B50C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: EupFNx.exe PID: 5808 Parent PID: 6568

General

Start time:	15:00:57
Start date:	11/06/2021
Path:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\EupFNx\EupFNx.exe
Imagebase:	0x440000
File size:	958464 bytes
MD5 hash:	1603B2E2474AC57BA3EE0AE98357B50C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000011.00000000.438386722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.590870590.00000000027C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000011.00000002.582257819.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: OMANTECH PRODUCTS.exe PID: 6696 Parent PID: 5936 OMANTECH PRODUCTS.exeCOMMON

Executed Functions

Function 04B21924, Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f237f23646bc149e13d7f6bdfb730ea8ae824f1c0554c7eb4b1f49b82fe202d3
Instruction ID: 6fec410c80a0190fe1c8af0fa659674313e50b497a1ad2ce1ae5564098a9ce39
Opcode Fuzzy Hash: f237f23646bc149e13d7f6bdfb730ea8ae824f1c0554c7eb4b1f49b82fe202d3
Instruction Fuzzy Hash: F6326830B012298FDB19DB79C650BAEB7F6EF88708F1444A9E509DB3A1DB35E901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0112B5AC, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf11543aa9c882eab28439bd2b6bc8cb988810c1fcaec26aaa61c0e25a67296
Instruction ID: dd290785d60d519fcc5f7bdb896186b0e28e53b2e4f795ae43fc8664a214a2c1
Opcode Fuzzy Hash: 0cf11543aa9c882eab28439bd2b6bc8cb988810c1fcaec26aaa61c0e25a67296
Instruction Fuzzy Hash: F8919635E003198FCB04DBA4DC549DDBBBAFF89304F258619E515AF3A0EB70A959CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0112B5A0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8258fd9e62074abefac8b8cc6b7260d66c7f6256a51f3cd7a1d0779c86846c67
Instruction ID: 4dd49f9440b78f281e192d941a03d1d7f6243118968f77e6a1943c02d50d01be
Opcode Fuzzy Hash: 8258fd9e62074abefac8b8cc6b7260d66c7f6256a51f3cd7a1d0779c86846c67
Instruction Fuzzy Hash: B581A135E003198FCB05DFE4DC548DDBBBAFF89304F258619E515AB2A0EB30A959CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0112E470, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295e0972d1ccec26790762cb500a46ed7f37fa150a464132c6706e754847a64d
Instruction ID: 1b1ffbd096c8dc762ad399664c7a17cfc0c58dcfa91fb185fda3ebc343b71692
Opcode Fuzzy Hash: 295e0972d1ccec26790762cb500a46ed7f37fa150a464132c6706e754847a64d
Instruction Fuzzy Hash: 7A819F35E003198FCB04DFE4DC548DDBBBAFF89304F258619E515AB6A0EB70A95ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B22258, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e93ccc446327a776d27071b6cda3ac582fb6718342817958cdf9e01de67922e
Instruction ID: 3951f5e8e8a912bf0772cd449ba60fef27dc796a5bc0fd21feb512c028f98eb4
Opcode Fuzzy Hash: 5e93ccc446327a776d27071b6cda3ac582fb6718342817958cdf9e01de67922e
Instruction Fuzzy Hash: 93315A70D05228DFDF18CFA4E5487EDBAF4AF0A300F5448AAE409B7280D7756945DF69

Uniqueness

Uniqueness Score: -1.00%

Function 04B22249, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11768372203a1ce20676035263ced156f29cac9f6f84e72718377a76e9fe8ba3
Instruction ID: 50625e723c38ad8f4b5cb692686ac61b397a23a1d3d0228963997d926dadcf62
Opcode Fuzzy Hash: 11768372203a1ce20676035263ced156f29cac9f6f84e72718377a76e9fe8ba3
Instruction Fuzzy Hash: FA315674D05228CFCF088FA4E648BEDBBB0AF0A300F1448AAE409B7290D735A945DF65

Uniqueness

Uniqueness Score: -1.00%

Function 01127098, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 011270F8
GetCurrentThread.KERNEL32 ref: 01127135
GetCurrentProcess.KERNEL32 ref: 01127172
GetCurrentThreadId.KERNEL32 ref: 011271CB

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0fc06b363256b760fea2896f2dd21363888720492d8a717f903c2679a2673a43
Instruction ID: 3bacc8a7c83272e4206c64d7ea0070aea5ade41e86ad5af9fa7386103db71453
Opcode Fuzzy Hash: 0fc06b363256b760fea2896f2dd21363888720492d8a717f903c2679a2673a43
Instruction Fuzzy Hash: C45133B0E007498FDB18CFAAD9487DEBBF1EF89304F248459E019A7390D774A844CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01127088, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 011270F8
GetCurrentThread.KERNEL32 ref: 01127135
GetCurrentProcess.KERNEL32 ref: 01127172
GetCurrentThreadId.KERNEL32 ref: 011271CB

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 884601058ef1b8e25208ca8a7092f5e47e6ed8c2a6aa1622c6f70b688e873e12
Instruction ID: ff1f4963cd78c3a9c21c6a14553077fa6d229e794d72b9fa462a4b8d99ffe3a2
Opcode Fuzzy Hash: 884601058ef1b8e25208ca8a7092f5e47e6ed8c2a6aa1622c6f70b688e873e12
Instruction Fuzzy Hash: 6B5133B4E007498FDB18CFA9D6497DEBBF1AF88304F24845AE419A73A0D7746844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0112C0B3, Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0112C306

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 55ab40836852d03a61ba06deab100bfdc7168658e0095f4ef59407497910d2dd
Instruction ID: 110eafc56d3c66bb6c8f38137fdcb89c13c520ed50cd5628a4e4923b85d807d4
Opcode Fuzzy Hash: 55ab40836852d03a61ba06deab100bfdc7168658e0095f4ef59407497910d2dd
Instruction Fuzzy Hash: E7713670A00B158FD728DF6AD44579ABBF1FF88204F10892ED58ADBA40DB34E955CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0112E16F, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0112E28A

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5878caa53dead5ddeffa92a3b64790d789381c85beec6df53b3f69aeab848a0c
Instruction ID: aac6f39089a6ade17af8e4c0e80296493f98d1d25b67ef73aecfab28675ae0da
Opcode Fuzzy Hash: 5878caa53dead5ddeffa92a3b64790d789381c85beec6df53b3f69aeab848a0c
Instruction Fuzzy Hash: 5351D0B1D01318DFDB14CF9AD880ADEBFB5BF48314F25812AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0112E178, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0112E28A

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ed539a7d3f41517eabdab01b35e31c80d80e2099035f6326d051a6b9f01a1588
Instruction ID: f3175470f43fc5cbafc0e6644fed601c4674ff309779237df800d8e2a66dd311
Opcode Fuzzy Hash: ed539a7d3f41517eabdab01b35e31c80d80e2099035f6326d051a6b9f01a1588
Instruction Fuzzy Hash: 3241BFB1D01319DFDB18CF9AC884ADEBBB5BF48314F24812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011272C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01127347

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 78e7f627bc62f7be3101145290db12631f8e7e2af841d9952bbeb4d6c20007d8
Instruction ID: fc90d9fca5529cab89d630325e945ef8cb979b2c8d513f593055c43e47883941
Opcode Fuzzy Hash: 78e7f627bc62f7be3101145290db12631f8e7e2af841d9952bbeb4d6c20007d8
Instruction Fuzzy Hash: 5221D5B5D00219DFDB10CF9AD584ADEBBF8FB48324F14841AE914A7350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011272B8, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01127347

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ea18fde8df2e3cd235813b0fd572b97d2f9f0fd44d775d384f2da1954276dd09
Instruction ID: 6c26131945884582e27ed451b51c906099524121c5b09e82b7f09f6bfaf80ca9
Opcode Fuzzy Hash: ea18fde8df2e3cd235813b0fd572b97d2f9f0fd44d775d384f2da1954276dd09
Instruction Fuzzy Hash: 3F21BEB5D00209DFDB00CFAAD985AEEBBF4EB48324F14841AE914B7350D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0112B420, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0112C381,00000800,00000000,00000000), ref: 0112C592

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 54dcb1fd13b103d52089c2ad3d9ba57eefc21d617b213e9679806e1eaf84a83c
Instruction ID: 4be1d64e0338bdc38c1d25aabbcc51f2e1e58383dfe07ebf870d0b527c28a50a
Opcode Fuzzy Hash: 54dcb1fd13b103d52089c2ad3d9ba57eefc21d617b213e9679806e1eaf84a83c
Instruction Fuzzy Hash: EB1100B2D002099FDB14CF9AC444BDEBBF4EF98360F04842AE919A7600C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112C520, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0112C381,00000800,00000000,00000000), ref: 0112C592

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a02b5904e61d3af326935684411760387b16aa5f11949d089d8cf924f1a4bbb8
Instruction ID: b68b6ea8a7f9dfc3ccaad03dd6ea7a7854f21283bccc910c5c54f37fdf940949
Opcode Fuzzy Hash: a02b5904e61d3af326935684411760387b16aa5f11949d089d8cf924f1a4bbb8
Instruction Fuzzy Hash: 17111FB6D002098FDB14CFAAC584BDEBBF4AF88324F04842AD915B7610C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112E3B8, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0112E41D

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cad47c202bcd24d2f95a108707e89b9051e8fd379a711c3cc79910d6ad5ab3fa
Instruction ID: 8e2a5d09439d0c1d4c966d9c756ecf256e209e64fd6ec02bbda58db2c0450f4c
Opcode Fuzzy Hash: cad47c202bcd24d2f95a108707e89b9051e8fd379a711c3cc79910d6ad5ab3fa
Instruction Fuzzy Hash: A41145B5D012089FDB10CF9AD488BDEBBF8EF88324F10841AE919A7700C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B23900, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04B23960

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4fcc8278c6b4b1473c87d631b12155f8e368df304f2741f2c4f8b103c8be4d54
Instruction ID: fa4f87c09231273cb0ba467418d1d9821555f127352b3769ca726e420d4c1bd6
Opcode Fuzzy Hash: 4fcc8278c6b4b1473c87d631b12155f8e368df304f2741f2c4f8b103c8be4d54
Instruction Fuzzy Hash: 381125B5C00219CFDB10CF99C545BDEBBF4EB48320F14845AD959A7740D738A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0112C2A0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0112C306

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3c8800e5eeea152b87134c7ed673882e1fd62e637761d616b0e60c07518d4138
Instruction ID: 7553b45cd5c7c1786d7e902b51574d9a8afbff10904457d8311d35d1580ad463
Opcode Fuzzy Hash: 3c8800e5eeea152b87134c7ed673882e1fd62e637761d616b0e60c07518d4138
Instruction Fuzzy Hash: 1D1110B2C006098FDB14CF9AD444BDEFBF4AF88324F10841AD519B7600C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B23908, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04B23960

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2c9338b477bf8c7e563c9d3c92cfcc41b4d27a470282a1ffd129e4c7b9b946e5
Instruction ID: 57c9016c0b37e0fd9d6f579b7b4cc175b2e023499b20eb1c26c6b405b65192aa
Opcode Fuzzy Hash: 2c9338b477bf8c7e563c9d3c92cfcc41b4d27a470282a1ffd129e4c7b9b946e5
Instruction Fuzzy Hash: 031133B1C00219CFDB10CFAAC444BDEBBF4EB48320F14842AD959A7740C738A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B21D62, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04B21DC5

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e8a40c63a5a4daf6b56a64a32d2cce22c447474d344cedaad5105d8eb1fac3b7
Instruction ID: bad9e557d75c704801c74ed7362a3c65a53ec9f73136eafdeb5407e2029bd58f
Opcode Fuzzy Hash: e8a40c63a5a4daf6b56a64a32d2cce22c447474d344cedaad5105d8eb1fac3b7
Instruction Fuzzy Hash: 301103B5800249DFDB10CF9AC885BDEBFF8EB48324F10881AE818A7600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112E3C0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0112E41D

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0a2150dc64f90e9d7b7897a00e499feeb8cbe6cd131e15d98be4a522cc961431
Instruction ID: 1f4a614c5094aa8f090f4bb084513be52a35c40bdd6e3488712d0566a13c5a6c
Opcode Fuzzy Hash: 0a2150dc64f90e9d7b7897a00e499feeb8cbe6cd131e15d98be4a522cc961431
Instruction Fuzzy Hash: 6511E2B59002599FDB10CF9AD585BDEBBF8EB88324F10851AE915A7700C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B21D68, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04B21DC5

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f80d3d9d4a6cc819f84085ee8e76ad0d4e2e033ed51706c579db508f794d66f7
Instruction ID: 538c7fdfa5c2706a0c00c40c88193fe0174af1bd7f371928226b97db6c6db0e2
Opcode Fuzzy Hash: f80d3d9d4a6cc819f84085ee8e76ad0d4e2e033ed51706c579db508f794d66f7
Instruction Fuzzy Hash: AA11E2B5800349DFDB10CF9AD985BDFBBF8EB48364F10885AE518A7600C374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0112CA2B, Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419333f39229a61c62df4d15508c9be2483085ee7fce8b120f95babf9f786933
Instruction ID: 56ee1afea66708c6d375d87755a4ca42abb30bd4e497ae27e301648f38c44578
Opcode Fuzzy Hash: 419333f39229a61c62df4d15508c9be2483085ee7fce8b120f95babf9f786933
Instruction Fuzzy Hash: 1202C4F5C997468BE310CF65EDD81A93BA0B744328BDB4A08C2616FAD0D7B8156ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 0112B1E0, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327303665.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdc76e7b9036ea10c7176a81b87fcbb2904c40e426e470acd51664695119330
Instruction ID: 7c7992d5b83ba5e6c43b78fbb6dad36fb71eca7adf3b78e0b8ee7e3793959ae6
Opcode Fuzzy Hash: 5fdc76e7b9036ea10c7176a81b87fcbb2904c40e426e470acd51664695119330
Instruction Fuzzy Hash: BFA18332E0432ACFCF09DFA5C8445DDBBB2FF85304B15856AE905BB221EB71A925CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04B20006, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62eadb9bc3c1eef848f87e51ac4bed2dc85b8d526ab8b939f2d1867d6d9c11b6
Instruction ID: 34c42d4e586c584495f2f005e17dd55fa570937d1ef6a223b566d18265b93e04
Opcode Fuzzy Hash: 62eadb9bc3c1eef848f87e51ac4bed2dc85b8d526ab8b939f2d1867d6d9c11b6
Instruction Fuzzy Hash: 7E615C71E046698FEB24CF66C9407DABBB2FFCA304F0485EAD509A7214E7356A85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0505A100, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331952291.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44acfde5ef417eacb6230b899f2d127159ac635e293af1f663c61a9d4923b9ca
Instruction ID: 44e7a82cbd01eef471ddec13e75eafdd722713fb9563d9d7eb11dd3a7fab66d0
Opcode Fuzzy Hash: 44acfde5ef417eacb6230b899f2d127159ac635e293af1f663c61a9d4923b9ca
Instruction Fuzzy Hash: F7514B70E05248CFDB49DFA9E89169E7BF2FF89304F04C429D118DB364EB7099468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0505A0F3, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.331952291.0000000005050000.00000040.00000001.sdmp, Offset: 05050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ed2fcdcff816981ca276132eca98aaf8ce66ced29c1fcbbc8c9dee7c1e24c0
Instruction ID: a65b9863ee6f6362a9092c89c17de5c374340a281e6f8633ad1e0a245f9f70af
Opcode Fuzzy Hash: e9ed2fcdcff816981ca276132eca98aaf8ce66ced29c1fcbbc8c9dee7c1e24c0
Instruction Fuzzy Hash: 67515F70E052488FDB49DFB9E89169E7BF2FB89304F04C529D118DF364EB7099468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B20040, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e1920e0409b87b12b98b0bcba9ca222fe3d8c7989de2db0bac8a7d38d3ba16
Instruction ID: 0edf592a8be2f5b181584cf36d5c064494d0ca5fc368ec8de4f118cc120e7a99
Opcode Fuzzy Hash: d6e1920e0409b87b12b98b0bcba9ca222fe3d8c7989de2db0bac8a7d38d3ba16
Instruction Fuzzy Hash: 55510971E04629CBDB24DF6AC9447EEB7B2ABC9300F10C5EAD50DA7214EB705A859F04

Uniqueness

Uniqueness Score: -1.00%

Function 006C3C35, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.324981466.00000000006C2000.00000002.00020000.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000001.00000002.324974241.00000000006C0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.325206659.0000000000784000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.325221308.0000000000788000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.325233954.0000000000798000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.325243452.00000000007A0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5574bb2b298829f7f1b6be71958b48631c54441685d07b9634de4b4e7a44b7
Instruction ID: 87f15afce9b5f869a3b30f2df42177d9134ba1f32f65acf784c32d0445f34134
Opcode Fuzzy Hash: 9e5574bb2b298829f7f1b6be71958b48631c54441685d07b9634de4b4e7a44b7
Instruction Fuzzy Hash: BE41E12100E7D19FDB139B789CB06E07FB1AE87214B0E49C7C4C08F4B3D6296959D762

Uniqueness

Uniqueness Score: -1.00%

Function 04B23578, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3699e0795cf5a46b1e1033a6d44bc3fcfe6e3401126438a18ee4f523f47c8cf
Instruction ID: e359494477246e61d270cd3e13fb13ff5a52c64dd90dac9508f4e9ee8c5bacdb
Opcode Fuzzy Hash: a3699e0795cf5a46b1e1033a6d44bc3fcfe6e3401126438a18ee4f523f47c8cf
Instruction Fuzzy Hash: 65314B70E0A228CBDB11CFB5D6487EEBAF9EF09304F1464A5D809B3350D738AA44DB15

Uniqueness

Uniqueness Score: -1.00%

Function 04B23568, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.329467926.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b242ba9df24b6b66d92751859176c33a488cfd8737a71c802a79570871c8e6e3
Instruction ID: 957a40e5adec012612429717a1760eeb2fd290ff9c0f9f8fe626d9c7966c29a4
Opcode Fuzzy Hash: b242ba9df24b6b66d92751859176c33a488cfd8737a71c802a79570871c8e6e3
Instruction Fuzzy Hash: F0312A70E0A229CBDB15CFB4D6587EDBBF5EB09304F1064A6D809B3351D738AA45DB14

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: OMANTECH PRODUCTS.exe PID: 6844 Parent PID: 6696 OMANTECH PRODUCTS.exeCOMMON

Executed Functions

Function 01730A76, Relevance: 7.0, APIs: 4, Instructions: 984libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01730C50
KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: c7c6e7ec878a08e63a15207bbac4151484190ebf9e88fd04c8f89909615f11f7
Instruction ID: 85233d8d982273470d4dd6bafd61c262d4a10ffd4dddd3dab06b051ec75f409d
Opcode Fuzzy Hash: c7c6e7ec878a08e63a15207bbac4151484190ebf9e88fd04c8f89909615f11f7
Instruction Fuzzy Hash: 5BA23874A00228CFCB64EF60D8586ADBBB6BF89305F6084E9D50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730A97, Relevance: 6.6, APIs: 4, Instructions: 637libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01730C50
KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 214163d7e1e3ec53f7987bc3e3028e22be7976dda21bc1ac88a991d7f22ffdd0
Instruction ID: 947aa5a3c33c64ab32e762132b2dced31ff58f5cceccae4a2ca5a30c3ed3bb04
Opcode Fuzzy Hash: 214163d7e1e3ec53f7987bc3e3028e22be7976dda21bc1ac88a991d7f22ffdd0
Instruction Fuzzy Hash: 14622974A00268CFCB64EF60D85869CBBB6BF89205F6084EDE50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730ADC, Relevance: 6.6, APIs: 4, Instructions: 630libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01730C50
KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 74b65cc5b74d8e18af5f9670439781c6e1035e9f4cc8090c8564efcf3d320228
Instruction ID: 758cd040bd586497b743ade0919f56e2fb6a593f72b0d861fac777f35bba591e
Opcode Fuzzy Hash: 74b65cc5b74d8e18af5f9670439781c6e1035e9f4cc8090c8564efcf3d320228
Instruction Fuzzy Hash: 2A522974A00268CFCB64EF60D85869CBBB6BF89205F6084EDE50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730B21, Relevance: 6.6, APIs: 4, Instructions: 623libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01730C50
KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 2c51ad7eafe517988527ce2ba793ced1c1c00a5d74b58d65d03f44f99783e0bb
Instruction ID: f0f84929f230bbe5434eab4caf816c147262f11793ccb0486ddb2e6ffb87346e
Opcode Fuzzy Hash: 2c51ad7eafe517988527ce2ba793ced1c1c00a5d74b58d65d03f44f99783e0bb
Instruction Fuzzy Hash: D05239B4A00268CFCB64EF60D85869CBBB6BF89205F6084EDD50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730B66, Relevance: 6.6, APIs: 4, Instructions: 616libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01730C50
KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: f290b8edd0a122f592fd06126c95f1c36a67c86ff88e5c5c5ac34c7a1e025fca
Instruction ID: e2a0175b06fd3464ae58411d7ddb99d4aecbb47c503efe394d591bc7f62c892f
Opcode Fuzzy Hash: f290b8edd0a122f592fd06126c95f1c36a67c86ff88e5c5c5ac34c7a1e025fca
Instruction Fuzzy Hash: C4522974A00268CFCB64EF60D85869CBBB6BF89205F6084EDD50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730BAB, Relevance: 6.6, APIs: 4, Instructions: 609libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01730C50
KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 2f48f11a5d23b6645c69903ca5d042c891d39e72928d94b8e847abb59656f861
Instruction ID: ae89a965abd81ec96d1738572c9b652fe59d97312c31337804ddfa90c4e56280
Opcode Fuzzy Hash: 2f48f11a5d23b6645c69903ca5d042c891d39e72928d94b8e847abb59656f861
Instruction Fuzzy Hash: 27523974A00268CFCB64EF60D8586ACBBB6BF89205F6084EDD50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730BF0, Relevance: 6.6, APIs: 4, Instructions: 602libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01730C50
KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 5c1e353b30e5336ce2ec094de62b5b944f6e861f328610fd11c912d505967380
Instruction ID: 3b4d1b35e2e9f718fafe0053ee4969e3e48ec1dfd221a9d3f6e4b96348b1529c
Opcode Fuzzy Hash: 5c1e353b30e5336ce2ec094de62b5b944f6e861f328610fd11c912d505967380
Instruction Fuzzy Hash: 6A523974A00268CFCB64EF60D85869CBBB6BF89205F6084EDD50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730C35, Relevance: 6.6, APIs: 4, Instructions: 593libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01730C50
KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: e8336066dbebc5add7d9f3a45f7d24c432646bd0c32a9c8795df9e837f06ba71
Instruction ID: 5d6b3edcd81280d16ebfa3b7efcdce5b6f420514ec4d650713e2942db9fede1b
Opcode Fuzzy Hash: e8336066dbebc5add7d9f3a45f7d24c432646bd0c32a9c8795df9e837f06ba71
Instruction Fuzzy Hash: 0A5239B4A00268CFCB64EF60C85869CBBB6BF89205F6084EDD50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01876940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 018769A0
GetCurrentThread.KERNEL32 ref: 018769DD
GetCurrentProcess.KERNEL32 ref: 01876A1A
GetCurrentThreadId.KERNEL32 ref: 01876A73

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d15037eb1e8b77373be6d70755c4d40606d50a58ccf2db32589a568a4bd9acdc
Instruction ID: c7b511956e1c2ad6ed080d99834e1a71ec736c13f206952b06575251c812b669
Opcode Fuzzy Hash: d15037eb1e8b77373be6d70755c4d40606d50a58ccf2db32589a568a4bd9acdc
Instruction Fuzzy Hash: B75167B0D006498FEB14CFAAD549BDEBBF0EF88314F20845AE509A7350DB74A984CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01730C71, Relevance: 5.1, APIs: 3, Instructions: 588libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: ae2bee5d82e7b6f51a9da2554428d887d834484acbb98d903a15337356f69399
Instruction ID: 5acdf7ae548e293a0467691c6fb117d337779bca75c613f1e4b867fb88df00b6
Opcode Fuzzy Hash: ae2bee5d82e7b6f51a9da2554428d887d834484acbb98d903a15337356f69399
Instruction Fuzzy Hash: 655239B4A00268CFCB64EF60C85869CBBB6BF89205F6084EDD50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730CB6, Relevance: 5.1, APIs: 3, Instructions: 581libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: b3c462735e97c103ca8f4179840b266003c02e7f1dafb2155bbcfa40852b8808
Instruction ID: c13d0ac687b71e18631b9dd4182978420f913bf046a81cb101e855a06ac21617
Opcode Fuzzy Hash: b3c462735e97c103ca8f4179840b266003c02e7f1dafb2155bbcfa40852b8808
Instruction Fuzzy Hash: D04238B4A00268CFCB64EF60C85869DBBB6BF89205F6084EDD50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730CFB, Relevance: 5.1, APIs: 3, Instructions: 574libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 5021bc2e3b40b83a9168834b0ac4f51e206642ca8c8c4183f31f262c33c06782
Instruction ID: 270dd72096e8c41a449c6d8f3fbffc637c6b02dfa05ffc99d2fbc3d612f9a2af
Opcode Fuzzy Hash: 5021bc2e3b40b83a9168834b0ac4f51e206642ca8c8c4183f31f262c33c06782
Instruction Fuzzy Hash: 924238B4A00268CFCB64EF60C85869DBBB6BF89205F6084EDD50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730D40, Relevance: 5.1, APIs: 3, Instructions: 567libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 4fa06c74351bb03a48a896a8f7c399c756b79ef784bebd6235905c597d071d41
Instruction ID: bfca9068227c008b6742c5703865cc12103cb524f7d9bc8c061ee82d2ef1ccb2
Opcode Fuzzy Hash: 4fa06c74351bb03a48a896a8f7c399c756b79ef784bebd6235905c597d071d41
Instruction Fuzzy Hash: B14239B4A00268CFCB64EF60C85869DBBB6BF89205F6084EDD50AA7344DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730D85, Relevance: 5.1, APIs: 3, Instructions: 558libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: dd986e4276288bc8b59f7f8d02cdde2c4242ea3d35accfbeccb5c3252606df29
Instruction ID: 9e2682f75f51bf591251b35b15b820acb89177618ccaed811e19ff016832b686
Opcode Fuzzy Hash: dd986e4276288bc8b59f7f8d02cdde2c4242ea3d35accfbeccb5c3252606df29
Instruction Fuzzy Hash: 5A4239B4A00268CFCB64EF64C85869DBBB6BF89205F6084EDD50AA7744DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730DC1, Relevance: 5.1, APIs: 3, Instructions: 551libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 30eb6f9f0e0b0556837e22fb55cbdb77a3e852ac64b35cb88e66b779dc5712de
Instruction ID: 907bb49e6124d0872a7fa65f962abf348e0c6432b0d182760ed952f0823a4e86
Opcode Fuzzy Hash: 30eb6f9f0e0b0556837e22fb55cbdb77a3e852ac64b35cb88e66b779dc5712de
Instruction Fuzzy Hash: AB4239B4A00268CFCB64EF64D85869DBBB6BF88205F6084EDD50AA7744DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730DFD, Relevance: 5.0, APIs: 3, Instructions: 544libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 4c6ca285bea912fc91f5df41f3b8f1dbad9cc6020356085203ada998e42ee470
Instruction ID: b598f68ce6699f176f1cf4bc3bc982546365b87a24d8c6c61a05df6d118233d2
Opcode Fuzzy Hash: 4c6ca285bea912fc91f5df41f3b8f1dbad9cc6020356085203ada998e42ee470
Instruction Fuzzy Hash: F64239B4A00268CFCB64EF64D85869DBBB6BF88205F6084EDD50AA7744DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730E39, Relevance: 5.0, APIs: 3, Instructions: 539libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 984f1fafe3d43bd853a3ee0db55c77ded352ee11ef9249220b486df3ae3f9f0c
Instruction ID: acb5472240e45bd6e0aed31c4af72931c8baeb0c61dbe5fbe43183caa266d25e
Opcode Fuzzy Hash: 984f1fafe3d43bd853a3ee0db55c77ded352ee11ef9249220b486df3ae3f9f0c
Instruction Fuzzy Hash: 704238B4A00268CFCB64EF64C85869DBBB6BF88205F6084EDD50AA7744DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730E7E, Relevance: 5.0, APIs: 3, Instructions: 532libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 151d6838487feac315cc43451232310c87f77bbac9252eec0c46189a2e77c0cc
Instruction ID: 8779fb84255540796034b3697a1086708f65c7f9f2d2668831408b68b4dbb9f9
Opcode Fuzzy Hash: 151d6838487feac315cc43451232310c87f77bbac9252eec0c46189a2e77c0cc
Instruction Fuzzy Hash: C63239B4A00268CFCB64EF74D85869DBBB6BF88205F6084E9D50AA7344DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730EC3, Relevance: 5.0, APIs: 3, Instructions: 523libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 0706cedf0b4da4f6157d8c51ece91660942a795365988ff667a739eba29daa83
Instruction ID: bb48be9cb8fe2ccad7bea2e27de54ba2c9534f2db7669ea170efbeb3cd942e0a
Opcode Fuzzy Hash: 0706cedf0b4da4f6157d8c51ece91660942a795365988ff667a739eba29daa83
Instruction Fuzzy Hash: C13229B4A00268CFCB64EF64D85869DBBB6BF88205F6084E9D50AA7744DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730EFF, Relevance: 5.0, APIs: 3, Instructions: 518libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: b10df0e6522d7b502fffe95ac5091eced3f808e0161fbd760dae03a8cef2b1eb
Instruction ID: 91d10cfe55e41112290c07397204af027b688f0a8044b06d9cb6cd92016313e1
Opcode Fuzzy Hash: b10df0e6522d7b502fffe95ac5091eced3f808e0161fbd760dae03a8cef2b1eb
Instruction Fuzzy Hash: 8A3239B4A00268CFCB64EF74D85869DBBB6BF88205F6084E9D50AA7344DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730F44, Relevance: 5.0, APIs: 3, Instructions: 511libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: f2f62c51c76200a8eab9c19be44da4c887bd8ffe7168090f8e9d38e7897bd759
Instruction ID: 6b996fe60a2c1cb8376d655246aeb576fbfbfa3f11a11259931249886159cf42
Opcode Fuzzy Hash: f2f62c51c76200a8eab9c19be44da4c887bd8ffe7168090f8e9d38e7897bd759
Instruction Fuzzy Hash: 4A3239B4A00268CFCB64EF74D85869DBBB6BF88205F6084E9D50AA7344DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730F89, Relevance: 5.0, APIs: 3, Instructions: 504libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: cf26620d7efe2656d421828a4a7a3e70e78e8e952232e86e540c3b1e0134ee40
Instruction ID: f75312e763a30db44d47649708cb21e4911c87761881036d49a8316d8c3b60c4
Opcode Fuzzy Hash: cf26620d7efe2656d421828a4a7a3e70e78e8e952232e86e540c3b1e0134ee40
Instruction Fuzzy Hash: 64323AB4A00268CFCB64EF74D85869DBBB6BF88205F6084E9D50AA7344DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01730FCE, Relevance: 5.0, APIs: 3, Instructions: 495libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: dac3a88884440c068c9d6881cfee94dc2c6700801161608d093d31011f0289cb
Instruction ID: 9c99422a42fd8f8af4db7bc7bbd85272b512ef4e8907e29c309773847b04fe7b
Opcode Fuzzy Hash: dac3a88884440c068c9d6881cfee94dc2c6700801161608d093d31011f0289cb
Instruction Fuzzy Hash: 12322AB4A00268CFCB64EF74D85869DB7B6BF88205F6084E9D50AA7744DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01731020, Relevance: 5.0, APIs: 3, Instructions: 486libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: f923417a5e948fee93fdc4cfb5a222e95dc0db770dd214d75c922cffb434ab3f
Instruction ID: fed39d0cef05f9a273f18b45b9f31f9c8276214b0c8b28c923b92efc7e763ccd
Opcode Fuzzy Hash: f923417a5e948fee93fdc4cfb5a222e95dc0db770dd214d75c922cffb434ab3f
Instruction Fuzzy Hash: 12222AB4A00268CFCB64EF74C85869DBBB6BF88205F6084E9D50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01731065, Relevance: 5.0, APIs: 3, Instructions: 479libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731089
KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$InitializeThunk
String ID:
API String ID: 2638914809-0
Opcode ID: 80c7565b97c86c3652060d1c1f600337c6d0e08b08e35bd68eafccad1ae04fe7
Instruction ID: 4457ed486b5910f5b45d626def6fb720e55b7b854235503f35fed1f9779d6983
Opcode Fuzzy Hash: 80c7565b97c86c3652060d1c1f600337c6d0e08b08e35bd68eafccad1ae04fe7
Instruction Fuzzy Hash: EA222AB4A00268CFCB64EF74C85869DBBB6BF88205F6084E9D50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017310AA, Relevance: 3.5, APIs: 2, Instructions: 472libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 87da5c849d2669fc9c7a18fc7773f6e11134deb3d46fba871a4620b77f4472ff
Instruction ID: 0c09a40e13050e8674b5a552ace32703b3755e8cb7f112e531c9d0bda4cad8a0
Opcode Fuzzy Hash: 87da5c849d2669fc9c7a18fc7773f6e11134deb3d46fba871a4620b77f4472ff
Instruction Fuzzy Hash: 1B222AB4A00268CFCB64EF74C85869DBBB6BF88205F6084E9D50AA7744DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 017310EF, Relevance: 3.5, APIs: 2, Instructions: 465libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 0ef6c20afbceb4a61013ec2fb9e72c7d67986d0417ce7d8891f0abfee2782e3c
Instruction ID: 22c902e72d49fee3e7a4e6705c253a63ffd53fe6243e791819ba662338b27691
Opcode Fuzzy Hash: 0ef6c20afbceb4a61013ec2fb9e72c7d67986d0417ce7d8891f0abfee2782e3c
Instruction Fuzzy Hash: 37222AB4A00268CFCB64EF74C85869DBBB6BF89205F6084E9D50AA7744DF348E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01731134, Relevance: 3.5, APIs: 2, Instructions: 456libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: b4af9361d00bcd32698c149ff539d8733c89b9bbb5b82d1135efd4944f6cbf80
Instruction ID: 8615c86dbeb4c32d713180e7dac9a563b804c6ede07db606319987c754c75ab1
Opcode Fuzzy Hash: b4af9361d00bcd32698c149ff539d8733c89b9bbb5b82d1135efd4944f6cbf80
Instruction Fuzzy Hash: 84222AB4A00228CFCB64EF74C85869DBBB6BF89205F6084E9D50AA7744DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01731170, Relevance: 3.5, APIs: 2, Instructions: 451libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 24fc8146f51da0b23f829591d5feb5b3521990b56b684abfced830054b84b2d6
Instruction ID: 1c5c87630e9f4ff775a6385c1305456dbf7dfbe19720328b9bc7d7bc1b9c7006
Opcode Fuzzy Hash: 24fc8146f51da0b23f829591d5feb5b3521990b56b684abfced830054b84b2d6
Instruction Fuzzy Hash: 6D1229B4A00228CFCB64EF74C85869DBBB6BF89205F6084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017311B5, Relevance: 3.4, APIs: 2, Instructions: 444libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: e189920f53b64433f9d10fd4b57e8d02816220084809bcf45215268726823dbb
Instruction ID: 6a77d0452dd8e9889f925472fbfc8808519ff864f06fc0f04ea5069dce2e0876
Opcode Fuzzy Hash: e189920f53b64433f9d10fd4b57e8d02816220084809bcf45215268726823dbb
Instruction Fuzzy Hash: 3F1229B4A00228CFCB64EF74C85869DBBB6BF89205F6084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017311FA, Relevance: 3.4, APIs: 2, Instructions: 437libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 383488bf64f6ae40db19296bae62fd00e1149d6f56c669abe67e461d2541f583
Instruction ID: d5746211536abcd1f3ef1ffb140006657f856168ebd76a9a8404705ccd3a7b7a
Opcode Fuzzy Hash: 383488bf64f6ae40db19296bae62fd00e1149d6f56c669abe67e461d2541f583
Instruction Fuzzy Hash: FC1219B5A00228CFCB64EF74C85869DBBB6BF88205F6084E9D50AA7344DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0173123F, Relevance: 3.4, APIs: 2, Instructions: 430libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 01731266
LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 43432581fc4f63fd277baa536acdc06c34bad451c2701aab15fc7914fa268dbe
Instruction ID: 36c2805a570d32c668e9f3215425198c9b0fb101e0338114da6906ee7fc8c01f
Opcode Fuzzy Hash: 43432581fc4f63fd277baa536acdc06c34bad451c2701aab15fc7914fa268dbe
Instruction Fuzzy Hash: D51218B5A002288FCB64EF74C85879DBBB6BF88205F6084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0173129D, Relevance: 1.9, APIs: 1, Instructions: 419libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3241cc923b2bef3b1c06e81f7c08c979b661e80b5941c38315039e7505f13cc7
Instruction ID: b3b1288403c736da37bb31be6fc190216eac1fc3f26de3cab5b932484f9a6bee
Opcode Fuzzy Hash: 3241cc923b2bef3b1c06e81f7c08c979b661e80b5941c38315039e7505f13cc7
Instruction Fuzzy Hash: 641217B5A00228CFCB64EB74C85879DBBB6BF88205F6084E9D50AA7744DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017312E5, Relevance: 1.9, APIs: 1, Instructions: 412libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5ab22b4510e009392edc0b4bf7ae89326484bb295be63c31b423dee323174e
Instruction ID: 66b1feff74580b36308ebe6ed4463ffee831a9ce9d48bc9c994f18513d6a0cbc
Opcode Fuzzy Hash: 3c5ab22b4510e009392edc0b4bf7ae89326484bb295be63c31b423dee323174e
Instruction Fuzzy Hash: 250219B5A00228CFCB64EB74C85879DBBB6BF88205F6084E9D50AA7344DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01731344, Relevance: 1.9, APIs: 1, Instructions: 401libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ad4116991cc14200e9cbea15220b5a06c99f71189281176ed24804e9b096c3d
Instruction ID: 26e8bbd65ece2ae77ab0569cded75fc5c2a5ea3091528a4183ce2d87dc85c469
Opcode Fuzzy Hash: 3ad4116991cc14200e9cbea15220b5a06c99f71189281176ed24804e9b096c3d
Instruction Fuzzy Hash: 670219B5A00228CFCB64EB74C85879DBBB6BF88205F6084E9D50AA7344DF349E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01731375, Relevance: 1.9, APIs: 1, Instructions: 398libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d994d6ce675e1c2fc9a44efa35aebecaf0c0eb8042933afbf8b9b2c94149bebd
Instruction ID: 8fa9983f0848d2f2e588408316dda75a643018a7e4b642a19cceaa2d3bbe83b0
Opcode Fuzzy Hash: d994d6ce675e1c2fc9a44efa35aebecaf0c0eb8042933afbf8b9b2c94149bebd
Instruction Fuzzy Hash: 960229B5A002288FCB64EF74C85879DBBB6BF88205F6084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017313BD, Relevance: 1.9, APIs: 1, Instructions: 391libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a39b21c4ebd2c02b4ac95f14208f18046f1506cb67e405e036f7ae70ac50991
Instruction ID: ad3eee04d829e1f3fcae64b7170952fee10ee85181470cf13a118e9e36471688
Opcode Fuzzy Hash: 7a39b21c4ebd2c02b4ac95f14208f18046f1506cb67e405e036f7ae70ac50991
Instruction Fuzzy Hash: C90228B5A012288FCB64EF74C85879DBBB6BF88205F6084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01731405, Relevance: 1.9, APIs: 1, Instructions: 384libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b0d822084ea6d40a2c9671cf2175eb1d35157f67741befc88ec5f1746f1eab5f
Instruction ID: e47f38d9210d317fab872b900eef78f6a5510bbc1d13af66b2329d7db6a9a820
Opcode Fuzzy Hash: b0d822084ea6d40a2c9671cf2175eb1d35157f67741befc88ec5f1746f1eab5f
Instruction Fuzzy Hash: EBF129B5A012288FCB64EF74C85879DBBB6BF88205F6084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0173144D, Relevance: 1.9, APIs: 1, Instructions: 377libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f04d41a176598d9ce74b0f152f05683913b9e5abdd02b11d2f33e8c42126377f
Instruction ID: 92605406a8340f20f0530996995ac55658012421bc561f2970e9f7d67be0da30
Opcode Fuzzy Hash: f04d41a176598d9ce74b0f152f05683913b9e5abdd02b11d2f33e8c42126377f
Instruction Fuzzy Hash: CDF129B5A012288FCB64EF74C85879DBBB6BF88205F6084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01731495, Relevance: 1.9, APIs: 1, Instructions: 370libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0700d1895ec24225434a6bd52ed7a576b76b25745db5e1ea12a1324335e53b3
Instruction ID: a55c94b378fb8ccdb5913128c4d32ea92dcea602a70f935a64799d54539eef34
Opcode Fuzzy Hash: e0700d1895ec24225434a6bd52ed7a576b76b25745db5e1ea12a1324335e53b3
Instruction Fuzzy Hash: 1DF128B5A002288FCB64EF74C85879DBBB6BF88205F6084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 017314DD, Relevance: 1.9, APIs: 1, Instructions: 363libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0173162F

Memory Dump Source

Source File: 00000003.00000002.590120318.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bfa936f4abfad8992a2f7ea73dea9aa91a7314c3b118b8634d56b2de271a1e1
Instruction ID: 664fbf782fa8db441d5ad3c83003294f924f14a0fca3f5f6f6b4664d2dbe72d8
Opcode Fuzzy Hash: 9bfa936f4abfad8992a2f7ea73dea9aa91a7314c3b118b8634d56b2de271a1e1
Instruction Fuzzy Hash: 83F127B5A002288FCB64EF74C85879DBBBABF88205F5084E9D50AA7344DF348E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 01773152, Relevance: 1.7, APIs: 1, Instructions: 164libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01773207

Memory Dump Source

Source File: 00000003.00000002.590202732.0000000001770000.00000040.00000001.sdmp, Offset: 01770000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 13185bc2204aa015312be55be5013265c7980173081588102895f7609547e089
Instruction ID: b4b8b751e4d5f35c574a6f01d467ab3ee343e6170f9fcfdbf2688815199de976
Opcode Fuzzy Hash: 13185bc2204aa015312be55be5013265c7980173081588102895f7609547e089
Instruction Fuzzy Hash: EF51C231B042069FCB14EBB8C854AAEB7B6BF84304F14896ED515DB791EF30DD058B91

Uniqueness

Uniqueness Score: -1.00%

Function 017731A8, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01773207

Memory Dump Source

Source File: 00000003.00000002.590202732.0000000001770000.00000040.00000001.sdmp, Offset: 01770000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 16adb27a5c9a6870d0b0c972a389651dddbe516fc59908fbefd676a03c6dfba9
Instruction ID: 0258ae58d275d21896d383cb873d3799ad517ed1f4a701c7e22d9b80f036cd7f
Opcode Fuzzy Hash: 16adb27a5c9a6870d0b0c972a389651dddbe516fc59908fbefd676a03c6dfba9
Instruction Fuzzy Hash: B8516031B002059FCB14EBB4C894AAEB7BABF88304F14896DD516DB395DF70DD048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01875084, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018751A2

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 809738988e5f7be8663568173cf522e1600a30cc1c40327d926df8ae396b238c
Instruction ID: 34722da05f61b20f05c58d8c626b6a00e3ed389e75cfd0afc30c43c2151e2373
Opcode Fuzzy Hash: 809738988e5f7be8663568173cf522e1600a30cc1c40327d926df8ae396b238c
Instruction Fuzzy Hash: 1E51CFB1D10309DFDF15CF99D884ADEBBB5BF48314F24812AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01875090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018751A2

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 77d0c275d7898ba4ce5351e2429cc6822e5242b268d5f514e112b667951e499d
Instruction ID: ea577bf120f52a424ced7ac0710f221ef14a2d773471e99daee4d11d08760174
Opcode Fuzzy Hash: 77d0c275d7898ba4ce5351e2429cc6822e5242b268d5f514e112b667951e499d
Instruction Fuzzy Hash: B641BFB1D10309DFDB14CF9AD884ADEBBB5BF48314F64812AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0187779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01877F09

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 42a1d39e857227a91291d6188f5766f11fcfd51d3b03d58e31f75bcbefca5492
Instruction ID: a642f920d83a50b51a18e132d1b70933c7f1428d7dcbbf6f315a0e6a974a6fe4
Opcode Fuzzy Hash: 42a1d39e857227a91291d6188f5766f11fcfd51d3b03d58e31f75bcbefca5492
Instruction Fuzzy Hash: 69414BB5A00205CFDB14CF99C489AAABBF5FF88314F158859E519AB321C774E941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01876B63, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01876BEF

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 00cba7f35a6d5eceab7cdcb029d54b97997a5bf05eac0d34bc8fc8a9b973114a
Instruction ID: a1b46595a207e6912da8c7b0bd63a08899791fec95a874e04ea1b9c8657a9615
Opcode Fuzzy Hash: 00cba7f35a6d5eceab7cdcb029d54b97997a5bf05eac0d34bc8fc8a9b973114a
Instruction Fuzzy Hash: B721C2B5D00249EFDB10CFAAD985ADEBBF8FB48324F14841AE914A7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01876B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01876BEF

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b7a5440fb50822eadf62b8b70c5f3ff0373764c010e855a3c8661632fabc6150
Instruction ID: b6ebf7e3b3f4f78c8a8ca672d7b5c8f39925fcefb44d214cde8e5a4ec52ce6ba
Opcode Fuzzy Hash: b7a5440fb50822eadf62b8b70c5f3ff0373764c010e855a3c8661632fabc6150
Instruction Fuzzy Hash: 2721D3B5D00249EFDB10CFAAD984ADEBBF8FB48324F14841AE914A7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0187C128, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0187C1A2

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0c411b5306e43ff4f99b1c5f1a5a363658cba613a5cc1d1b3c061e997e3ada74
Instruction ID: 21151e6d50e0698344f8cfcd1e030b729bfcc8bca8d747369b7443f15479659c
Opcode Fuzzy Hash: 0c411b5306e43ff4f99b1c5f1a5a363658cba613a5cc1d1b3c061e997e3ada74
Instruction Fuzzy Hash: EE1159719007068FDB10DFAAD90979EBBF4EB45324F14842AD805E7641DB38AA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0187C121, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0187C1A2

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f5b29107167692d82f1bcc5fcc5b8dc619f51b7933abcf7582a7f9b373731818
Instruction ID: d0858c032adab161bc090f3d4eeaf96edbfe8a94303dd92a75f57b3bf0c1b9ba
Opcode Fuzzy Hash: f5b29107167692d82f1bcc5fcc5b8dc619f51b7933abcf7582a7f9b373731818
Instruction Fuzzy Hash: 8E1159B59047468FDB10DFA9D90A39EBBF4FB09315F14842AD815F7601C738AA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01873300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 01874116

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d30ceabdfabfcd2173f38ff8781890fec8cd0f9153fba81d7cf53b658ddbf92c
Instruction ID: a485c9af36f2c65706bedbdcb5f348d06fa750c3c895b13dbda7ecd64fa8dcaa
Opcode Fuzzy Hash: d30ceabdfabfcd2173f38ff8781890fec8cd0f9153fba81d7cf53b658ddbf92c
Instruction Fuzzy Hash: DC11F0B5D006498BDB10DF9AD448BDEBBF4EB88324F11842AD929B7600D374A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018740AB, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 01874116

Memory Dump Source

Source File: 00000003.00000002.590822577.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 202bd5f1b53442188b7eeedae2bbd13e4ad6e110a09f77de4deb2f45b836f464
Instruction ID: 0365dd1dfa2323da14d5bfc9b23886b7f31a1c8a41614a121c9c142673205d03
Opcode Fuzzy Hash: 202bd5f1b53442188b7eeedae2bbd13e4ad6e110a09f77de4deb2f45b836f464
Instruction Fuzzy Hash: 6D1102B6D006498FDB10CF9AD449BDEFBF4EB88324F15842AD529B7600D374A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0180D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590468186.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34e97ce4bb1c4c08dade84db192390f7c1319f3a5c9dbde6fa0b68a3384bca2
Instruction ID: 350f3177610458b0f0c1c4e1ff68a280a0c7ede931d4f386e90d51b1b7bf9894
Opcode Fuzzy Hash: c34e97ce4bb1c4c08dade84db192390f7c1319f3a5c9dbde6fa0b68a3384bca2
Instruction Fuzzy Hash: F92106B1504248DFDB46DFD4DCC0B16BF65FB84328F248669EC058B286C336D956CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0180D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590468186.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1327f7962e68e32da22fd69181a34fd609ab54a89a09cf5a5be2105d9725770c
Instruction ID: f75be84012d0df580e94eadbaf60602cb293cc091bb563b1f100c9ad3669631f
Opcode Fuzzy Hash: 1327f7962e68e32da22fd69181a34fd609ab54a89a09cf5a5be2105d9725770c
Instruction Fuzzy Hash: 23214871504208DFDB02DF94DCC0B67BF65FB88328F208669E8058B286C336E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0181D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590517285.000000000181D000.00000040.00000001.sdmp, Offset: 0181D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af15c70925c5caaba81615bf5cfea9ac3f0a927df66165420e83c78d4470b82
Instruction ID: 698139d6c71983ef22e7d6311ecf67541d42041a793be5cceac47b0063b07f29
Opcode Fuzzy Hash: 6af15c70925c5caaba81615bf5cfea9ac3f0a927df66165420e83c78d4470b82
Instruction Fuzzy Hash: 9D213776504304DFDB15CF58D8C8B16BB69FB84358F20CA6DD8098B34AC33AD947CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0180D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590468186.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: f17b59f9f91e0e6fd85028d7975b07395eabce7c6bde7c5f07f138d87f319982
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: EE11B176404284CFCB16CF94D9C4B16BF72FB84324F2886A9E8098B656C336D55ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0180D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590468186.000000000180D000.00000040.00000001.sdmp, Offset: 0180D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: b4b838ca231814933fefa359a828255a72e56a1db861ba6128adc5d910cd0ddb
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: 4611BE76404284CFDB12CF94D9C4B56BF71FB84324F2886AAEC054B657C33AD55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0181D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.590517285.000000000181D000.00000040.00000001.sdmp, Offset: 0181D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction ID: 8d5530c064dcd9693666374d41bd0a196407811fb7bffe02cacb9d6514145558
Opcode Fuzzy Hash: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction Fuzzy Hash: 5D11BE76504280CFCB12CF58D5C8B16BB61FB44314F24C6AAD8098B75AC33AD54ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: EupFNx.exe PID: 6336 Parent PID: 3440 EupFNx.exeCOMMON

Executed Functions

Function 0343C0B2, Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0343C306

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 113cbe543c79335ebcae1d11909ad9823a40d5f21af0866bd5c0a2a9b20a3030
Instruction ID: 318bc822df3573272c0f1ba253cdce83819fc3f76516888768c9e55db74ad7b3
Opcode Fuzzy Hash: 113cbe543c79335ebcae1d11909ad9823a40d5f21af0866bd5c0a2a9b20a3030
Instruction Fuzzy Hash: 6C712570A00B058FDB24DF6AC48579AB7F5FF89204F04892ED48AEBB50DB74E8058F95

Uniqueness

Uniqueness Score: -1.00%

Function 0343B55C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0343E28A

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 54809a5ab339fc49009583a3a61996d8a7c87701208b489973a386a0009eaef7
Instruction ID: 7ed05a178e73532c81a77bcbc83ac853f0d484808de5dfeaa3aedb9a42a154da
Opcode Fuzzy Hash: 54809a5ab339fc49009583a3a61996d8a7c87701208b489973a386a0009eaef7
Instruction Fuzzy Hash: 7651BEB1D013099FDB14CF99C884ADEFBB5BF49310F24822AE919AB250D7749886CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0343E16E, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0343E28A

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fe1502756979a6e8c35eef471baf90966ef43574afd5e7495e3dae1a61e1eac8
Instruction ID: 134349ddb52cfbd34c9f3922ed1296807cf302bb6eafd9048c2d65d6d7126e86
Opcode Fuzzy Hash: fe1502756979a6e8c35eef471baf90966ef43574afd5e7495e3dae1a61e1eac8
Instruction Fuzzy Hash: 2651C0B1D01309DFDB14CF99C885ADEFBB1BF88314F24812AE819AB250D7749986CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03437249, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03437347

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eb649968d41b91020e5dfd0c768a98afadb05ee029fc0aa9ae1f47e1414e142b
Instruction ID: 625bf6f5ad2413b76a30b0f8625f569d005a20341d488752e1b797d898f0d661
Opcode Fuzzy Hash: eb649968d41b91020e5dfd0c768a98afadb05ee029fc0aa9ae1f47e1414e142b
Instruction Fuzzy Hash: D84159B6900219AFCF01CF99D844ADEBFF5FB49320F18802AE954AB360D7349955DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 059B0CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 059B0D91

Memory Dump Source

Source File: 00000007.00000002.417180073.00000000059B0000.00000040.00000001.sdmp, Offset: 059B0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e8f2924e92869b8e4c16e2c30e6188639b22ea3271d26adb76ccf9f742a58bb8
Instruction ID: 414b224317c650d1c1a3d464ddc78774460e57745779580892493efc6abd86c6
Opcode Fuzzy Hash: e8f2924e92869b8e4c16e2c30e6188639b22ea3271d26adb76ccf9f742a58bb8
Instruction Fuzzy Hash: 944116B8A003058FEB14CF99C488BABBBF5FF88314F15855AD519AB361D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 034372B8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03437347

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c79eb225f4caf8bf55790705e4bbd408843b6dd5462e0dd2bbf13092959c3584
Instruction ID: 92f441fb48b1b324e0ec810d6cf68d60db2ecd6b630bbc72ca0b82714b5aeba7
Opcode Fuzzy Hash: c79eb225f4caf8bf55790705e4bbd408843b6dd5462e0dd2bbf13092959c3584
Instruction Fuzzy Hash: 6C2103B5D002089FDB00CFA9D585ADEFBF4EB48320F14841AE914A7310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 034372C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 03437347

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 035b896623ddafb4b21e832e3ecd7287194ee0fb700ec3eabdd8846bb9f10d0b
Instruction ID: 8a58527133489590d79d7060fab4d8b9d811dd2026f0203eaff8e485531ce9a1
Opcode Fuzzy Hash: 035b896623ddafb4b21e832e3ecd7287194ee0fb700ec3eabdd8846bb9f10d0b
Instruction Fuzzy Hash: 1F21E2B5D002099FDB10CFAAD884ADEBBF8EB48320F14841AE954A7350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0343B420, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0343C381,00000800,00000000,00000000), ref: 0343C592

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2e16201dc934f0e584c91302b692b0296621d8fe70a492c6a9e0ff206f09df0e
Instruction ID: c3271b2291f0fa665da1d289d30d5f6c4161ded4c79ecd0b130520138dfd0441
Opcode Fuzzy Hash: 2e16201dc934f0e584c91302b692b0296621d8fe70a492c6a9e0ff206f09df0e
Instruction Fuzzy Hash: 0011FFB6D002098FDB10CF9AC484ADEFBF4AF99320F04842AE915AB600C774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0343C520, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0343C381,00000800,00000000,00000000), ref: 0343C592

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c50a8c9d579838c800172a15829a8f9cdb133012b79102689f7223b7cece3dd4
Instruction ID: 76f54cf28f2bd03dd77330b5cfae15380aaff46e5026e971b5cd3a2f586abc1f
Opcode Fuzzy Hash: c50a8c9d579838c800172a15829a8f9cdb133012b79102689f7223b7cece3dd4
Instruction Fuzzy Hash: 7D1112B6D002098FDB10CF9AC488ADEFBF4AF89320F14842AD915BB700C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0343E3B8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0343E41D

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5be0edda47f9b18ddd5b1b2a1351f1077ee9f90443901907a0c64c824ea2d12f
Instruction ID: 4311012384a285f3dc964324c9ece4a0cab252d8b416397520dfc0e4f790d2c7
Opcode Fuzzy Hash: 5be0edda47f9b18ddd5b1b2a1351f1077ee9f90443901907a0c64c824ea2d12f
Instruction Fuzzy Hash: 9C1122B18002099FDB10CF89C489BDFBBF8EB48320F14841AE914A7740C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0343C2A0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0343C306

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 731766ae6d5f6f5285d09413871d1692803d5a286d64f3a8e7a8688e6d04aa48
Instruction ID: 29a13350f4af1f4e6d3196d45a1380bb9bae95df4340c9a00788bd5fdd684738
Opcode Fuzzy Hash: 731766ae6d5f6f5285d09413871d1692803d5a286d64f3a8e7a8688e6d04aa48
Instruction Fuzzy Hash: 251102B2C006098FCB10CF9AC484ADEFBF4AB89224F14841AD819B7700C374A545CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 03371D62, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 03371DC5

Memory Dump Source

Source File: 00000007.00000002.413843398.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e735a7054f43a98b63d047bfcd0bc3a5de776ffd9ea02733f3c760a1d1552359
Instruction ID: 105f899b3459686c9c26f26222220edad9ed6fe4f629f0039c77dbac79b63182
Opcode Fuzzy Hash: e735a7054f43a98b63d047bfcd0bc3a5de776ffd9ea02733f3c760a1d1552359
Instruction Fuzzy Hash: AB1103B5C006499FDB20CF99C985BDEBBF8EB48324F10891AE565A7640C378A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0343E3C0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0343E41D

Memory Dump Source

Source File: 00000007.00000002.413921475.0000000003430000.00000040.00000001.sdmp, Offset: 03430000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: aaac3a073bb3baa10a72b61a09ac2d756a31767e91b772d8c185c20fcdf35479
Instruction ID: 9e25c9c1b725fd4b4be6ae03e4ed18adeaccac6f49f19483132156b7df650ff1
Opcode Fuzzy Hash: aaac3a073bb3baa10a72b61a09ac2d756a31767e91b772d8c185c20fcdf35479
Instruction Fuzzy Hash: 5F1100B58002098FDB10CF9AD489BDEBBF8EB58320F14841AE915A7740C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03371D68, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 03371DC5

Memory Dump Source

Source File: 00000007.00000002.413843398.0000000003370000.00000040.00000001.sdmp, Offset: 03370000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e9b43b1d20978c7addf3c2727ccf32d5f9bcd287af15b03872ecf082048300d0
Instruction ID: 1c86ceefd1acc29031eb25d57af3155557f76713d7ac99a8a462605b530575fb
Opcode Fuzzy Hash: e9b43b1d20978c7addf3c2727ccf32d5f9bcd287af15b03872ecf082048300d0
Instruction Fuzzy Hash: 9711D3B5C003499FDB20CF9AC885BDEBBF8EB48324F14881AE554A7640C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 059B0DEF, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 059B0D91

Memory Dump Source

Source File: 00000007.00000002.417180073.00000000059B0000.00000040.00000001.sdmp, Offset: 059B0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1112614a8dde5da1ca42d90e993565a178b3eb664daa9a814bfe15638e5ddbfe
Instruction ID: 7aa97a385f604679dc0257faa1222206565c94076ec59702ddbc4b4aa4bcfe13
Opcode Fuzzy Hash: 1112614a8dde5da1ca42d90e993565a178b3eb664daa9a814bfe15638e5ddbfe
Instruction Fuzzy Hash: F701AD795043448FEB21EB59E5493C9BBE4FB94225F208A9BD429AB680C7749445CB40

Uniqueness

Uniqueness Score: -1.00%

Function 019CD4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.413401951.00000000019CD000.00000040.00000001.sdmp, Offset: 019CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b78f9dcc3366370efd230fc52e016ba9da382111a9f29a5dfe92a1b88742688
Instruction ID: 35225d5218a2d7ef871ab1c94662dc2ce2274248330c828602c58b26b5434972
Opcode Fuzzy Hash: 8b78f9dcc3366370efd230fc52e016ba9da382111a9f29a5dfe92a1b88742688
Instruction Fuzzy Hash: AB210875504240DFDB01CF94D9C0F16BBA5FB98728F24857DD9494B34AC336D846C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 019DD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.413450944.00000000019DD000.00000040.00000001.sdmp, Offset: 019DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e9c05161196c495c57d96bcf520bda40dfc63cef9ffa7291a1192e8a128a67
Instruction ID: a28352006ab37769b7d053bbce58b09051ffe2d5ae320539234c353ce7b5dd61
Opcode Fuzzy Hash: b5e9c05161196c495c57d96bcf520bda40dfc63cef9ffa7291a1192e8a128a67
Instruction Fuzzy Hash: FF21F2B5504240DFDB15DFA8D8C4B26BBA9FBC8364F24C969D80D4B386C73AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 019DD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.413450944.00000000019DD000.00000040.00000001.sdmp, Offset: 019DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f825e291dfc37a21d57c6fe1826dcf1979912c367b36483d9895751afc0688
Instruction ID: 4136ce5db5330672a5288c0d0c5dba013484b58e17a0990131c2540d650592ec
Opcode Fuzzy Hash: 56f825e291dfc37a21d57c6fe1826dcf1979912c367b36483d9895751afc0688
Instruction Fuzzy Hash: 3D21F575904200EFDB05CF94D9C0F26BBA9FB84324F24C96DDA4D4B382C736D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 019DD005, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.413450944.00000000019DD000.00000040.00000001.sdmp, Offset: 019DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e9df153af5d5b781085082ee4166639275d2be259d9898e33e2821fb2b88a2
Instruction ID: d6dc331d7f0de7aabec31384866c72f71234f4e26bdebe26f6b02949f4f02972
Opcode Fuzzy Hash: c1e9df153af5d5b781085082ee4166639275d2be259d9898e33e2821fb2b88a2
Instruction Fuzzy Hash: D921A4755093C08FCB13CF24D994715BFB1EB86214F28C5DAD8498B697C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 019CD4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.413401951.00000000019CD000.00000040.00000001.sdmp, Offset: 019CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: 4d4c47663870f2843e9c845d9dc0cc01196ca8ce63db48bb11df937591490dbb
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: D0110376404280CFCB02CF44D9C4B16BFB1FB94324F2486ADD8490B65AC33AD45ACBE2

Uniqueness

Uniqueness Score: -1.00%

Function 019DD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.413450944.00000000019DD000.00000040.00000001.sdmp, Offset: 019DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction ID: 0cd83c3eeebdd0750e35493fe0220529bd8be888880e385e1e9b1fb182d8bd41
Opcode Fuzzy Hash: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction Fuzzy Hash: E2118B75904280DFDB12CF54D5C4B15BBB1FB84224F28C6AED9494B696C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 019CD771, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.413401951.00000000019CD000.00000040.00000001.sdmp, Offset: 019CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b15bd60e257b7aab67a86475903a1f66966b1397d54140680ce4161ee6a5af13
Instruction ID: 4b5d00c57ae40736f365735b809b42c1ea65dd983859b43f78f01ff4dc2c533f
Opcode Fuzzy Hash: b15bd60e257b7aab67a86475903a1f66966b1397d54140680ce4161ee6a5af13
Instruction Fuzzy Hash: 3401F7B1509384AEE7114A59CC84B66BBDCEF40A64F18887EEE4C4E682D7789844C6F2

Uniqueness

Uniqueness Score: -1.00%

Function 019CD770, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.413401951.00000000019CD000.00000040.00000001.sdmp, Offset: 019CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26de3a07fb623b1cf66627da7d1b11f2eec1a6cb0322c883a22b23fd0e4cc9a
Instruction ID: f6d46be747e7f55925e9b42349b37a252c8c6fdbedc50ae2486d6467e6e30a2d
Opcode Fuzzy Hash: e26de3a07fb623b1cf66627da7d1b11f2eec1a6cb0322c883a22b23fd0e4cc9a
Instruction Fuzzy Hash: 06F0C2B1404288AEEB118A19CC84BA2FFDCEB41734F18C46EED480B682C3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: EupFNx.exe PID: 6488 Parent PID: 6336 EupFNx.exeCOMMON

Executed Functions

Function 063A5A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 063AB633

Memory Dump Source

Source File: 00000009.00000002.450672065.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 70084130ca27550bbe107aab05924f458f5fabe2749724c57b867efb04b3b852
Instruction ID: aa81d3838c4aaec21e7e317d2e645979e2d0fe5c2cf78912bacfb4cf324b9c24
Opcode Fuzzy Hash: 70084130ca27550bbe107aab05924f458f5fabe2749724c57b867efb04b3b852
Instruction Fuzzy Hash: 7051EF70E003188FDB58CFA9C888B9EFBB5FF48314F158529E816AB750DB749849CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0157691F, Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 015769A0
GetCurrentThread.KERNEL32 ref: 015769DD
GetCurrentProcess.KERNEL32 ref: 01576A1A
GetCurrentThreadId.KERNEL32 ref: 01576A73

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 369db79dba93e2623178dcaea62e32e9468fcb67284f0d34afa401aecfc79956
Instruction ID: 6d0d6b707663121278f7b3459fcbce9884b73c748a3f0d93f8b6848269101bee
Opcode Fuzzy Hash: 369db79dba93e2623178dcaea62e32e9468fcb67284f0d34afa401aecfc79956
Instruction Fuzzy Hash: 685176B09046498FEB14CFAAD549BDEBBF0FF48314F208459E409AB750CB745844CF62

Uniqueness

Uniqueness Score: -1.00%

Function 01576940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 015769A0
GetCurrentThread.KERNEL32 ref: 015769DD
GetCurrentProcess.KERNEL32 ref: 01576A1A
GetCurrentThreadId.KERNEL32 ref: 01576A73

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: de6da6c382b2815924cb9c5a98daeb03b2d1dad3a6d0b009685e4496b2790237
Instruction ID: 6ff59f9a8ca8ad528877f1709f4c980d3d70b1c099aeeeca0474ee92d0843c53
Opcode Fuzzy Hash: de6da6c382b2815924cb9c5a98daeb03b2d1dad3a6d0b009685e4496b2790237
Instruction Fuzzy Hash: 375134B0A006498FEB14CFAAD549BDEBBF1BF88314F208559E409A7750DB745884CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0157500F, Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b750427d35300f5b4134d574e03031d90d57b6c9a2a7591f418edd88342ffaeb
Instruction ID: ee63f0716a14af74f669937f51ab7a958b9d7bbc166766e60a3765bb6c5cdae1
Opcode Fuzzy Hash: b750427d35300f5b4134d574e03031d90d57b6c9a2a7591f418edd88342ffaeb
Instruction Fuzzy Hash: F66143B1C14349AFDF12CFA9D880ACDBFB1BF49310F1981AAE908AB221D7719945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 063AB4EC, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 063AB633

Memory Dump Source

Source File: 00000009.00000002.450672065.00000000063A0000.00000040.00000001.sdmp, Offset: 063A0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 06af57f1f04e2e79f7254fcc547fc405acef81c92578d8e77d24ecc0219d5a4e
Instruction ID: 98e749ce96119af93be67242cf990563fd8cc1460c9fc1fc5750f84319f88cea
Opcode Fuzzy Hash: 06af57f1f04e2e79f7254fcc547fc405acef81c92578d8e77d24ecc0219d5a4e
Instruction Fuzzy Hash: 0C51E070E102188FDB58CFA9C888BDEFBB1FF48314F158529E816AB791D7749849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01575090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015751A2

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 43fd30315f80dba5d1701524a5e8207bead05ee5b7553a51e7e10f46ffea8fa6
Instruction ID: a172db43792393de6284f47682f559859b0f2a0aa5ab489911b61eae8fbeae07
Opcode Fuzzy Hash: 43fd30315f80dba5d1701524a5e8207bead05ee5b7553a51e7e10f46ffea8fa6
Instruction Fuzzy Hash: B141CFB1D103099FDB14CF99D885ADEBBB5BF88314F64852AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0157779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01577F09

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 2991a3c52b2a7188df9eb2237728f8f2d005acde9c6bbe64f6bbb2420d4dc555
Instruction ID: 53f2584f4bcd79cd7b47ef2f9a50c129b0b8771709f4d495b75b1460a63063aa
Opcode Fuzzy Hash: 2991a3c52b2a7188df9eb2237728f8f2d005acde9c6bbe64f6bbb2420d4dc555
Instruction Fuzzy Hash: 1D4136B4A003058FDB14CF99D489AAEBBF5FF8C314F248859E519AB321D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0157C119, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0157C1A2

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: ad9c7776f7c604efef8c9595cae404b18ec42df003e91da7528d2d18fc14df68
Instruction ID: 78944ccccdb1c34be8183fd7c10fafc30072d0317737a30ebe088563f58652ee
Opcode Fuzzy Hash: ad9c7776f7c604efef8c9595cae404b18ec42df003e91da7528d2d18fc14df68
Instruction Fuzzy Hash: 4D3102B18057868FEB11DFA8E90A39EBFF4FB46314F04846AD444AB742C7795904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01576B62, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01576BEF

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8753e5199258b7405491e3d5854343e9c1969c655ced7df0b9918628c40ea552
Instruction ID: 4cb94ab0ed3f819bf3cb5e4483d5ed9b372d4cd72b1e7d398761dabb0c2521fe
Opcode Fuzzy Hash: 8753e5199258b7405491e3d5854343e9c1969c655ced7df0b9918628c40ea552
Instruction Fuzzy Hash: E821BFB5D002099FDB10CFA9D985AEEBBF4FF48324F14845AE914A7710D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01576B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01576BEF

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 93edf4f70d3b38f77970241fa4733692d1bbdb2a310ea1f7b307a9abde7502af
Instruction ID: c23fdc1eaa30285fd2ec65f7f61f9cf40435b00992750f342e213ed3773cf8ad
Opcode Fuzzy Hash: 93edf4f70d3b38f77970241fa4733692d1bbdb2a310ea1f7b307a9abde7502af
Instruction Fuzzy Hash: CE21F3B5D002099FDB10CFAAD984ADEBBF8FB48320F14842AE914A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0157C128, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0157C1A2

Memory Dump Source

Source File: 00000009.00000002.445646917.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 6fd3d5e23df6c77bfea7eceeffa56e95eb425a7c1adf0cdfb228462c0456f9fa
Instruction ID: 31e07244ea06d6ceda1b417d09e79949b42b2ee20352b0812c550bda2da51452
Opcode Fuzzy Hash: 6fd3d5e23df6c77bfea7eceeffa56e95eb425a7c1adf0cdfb228462c0456f9fa
Instruction Fuzzy Hash: 73117C7190070A8FEB20DFA9E90A7DEBBF4FB45324F108429D405AB641CB786945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013ED53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.444787008.00000000013ED000.00000040.00000001.sdmp, Offset: 013ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f52b54e751e23755019d20d53ad41693add45d8add135d7cd7ed02c17668b06
Instruction ID: fced6064d65a98d78bc810756508364dab82f08732e0d696f83839abd03599f0
Opcode Fuzzy Hash: 9f52b54e751e23755019d20d53ad41693add45d8add135d7cd7ed02c17668b06
Instruction Fuzzy Hash: 9F21F4B1504344DFDB01DF54D9C8B2ABBA5FB8422CF248569E8054F686C336D856CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 013ED450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.444787008.00000000013ED000.00000040.00000001.sdmp, Offset: 013ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169f1148f6b369c7a4870d3911155e642b303528e055c1fb876791331d61074e
Instruction ID: bdffaa600f02dc6605eabdbbde61fdef0d9936d069328aa4d8f4c163d8c10685
Opcode Fuzzy Hash: 169f1148f6b369c7a4870d3911155e642b303528e055c1fb876791331d61074e
Instruction Fuzzy Hash: AB213671504304DFDB01DF54D9C8B6BBBA5FB98328F208569D8051F686C736E845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0151D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.445431368.000000000151D000.00000040.00000001.sdmp, Offset: 0151D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb27c2e96d6a3930882acaacb65d418cd771b06c27eb10e9471cbf7eae7b1387
Instruction ID: f3a4473af68b0e4c2332a8e8dec495afc2a26a03a6e3bd2a4f48d8d094f1d15a
Opcode Fuzzy Hash: eb27c2e96d6a3930882acaacb65d418cd771b06c27eb10e9471cbf7eae7b1387
Instruction Fuzzy Hash: 90210375504200DFEB16CF58D8C8B1ABBB5FB84354F20C969D8094F34AD33AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0151D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.445431368.000000000151D000.00000040.00000001.sdmp, Offset: 0151D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe566fa1ba3890d891b87d287c7cf93df4d4fa2a2f2ff7757356d24c1aa19f0
Instruction ID: c89151e7727eeab74e7b103ecda05ad2cc32e3330d47405d074b4cc5648fc1fc
Opcode Fuzzy Hash: bfe566fa1ba3890d891b87d287c7cf93df4d4fa2a2f2ff7757356d24c1aa19f0
Instruction Fuzzy Hash: 62219F755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 013ED537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.444787008.00000000013ED000.00000040.00000001.sdmp, Offset: 013ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: bd1543b965900981480bccb8bba7c0fef415ba23163437dd68080d725ecfde6d
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: DB11D376404380CFCB12CF54D5C4B16BFB2FB84328F24C6A9D8494B696C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013ED44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.444787008.00000000013ED000.00000040.00000001.sdmp, Offset: 013ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: cd5e454fc6468675f253caedfec2cf0ac2f17ec2d9e7a12cf0531b086c04a9c6
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: CC11B176404280CFDB12CF54D5C4B56BFB1FB84328F2486A9D8050B697C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: EupFNx.exe PID: 6568 Parent PID: 3440 EupFNx.exeCOMMON

Executed Functions

Function 00CE7088, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00CE70F8
GetCurrentThread.KERNEL32 ref: 00CE7135
GetCurrentProcess.KERNEL32 ref: 00CE7172
GetCurrentThreadId.KERNEL32 ref: 00CE71CB

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e0a3e9249695c33642fe1b810b677a89249d3529554e1c7d2b24d83e83fbeb9d
Instruction ID: 7b851159b9fe75a7cc94f157f4880e7589d5b1ad7fd87ed4516b94d9ffc94728
Opcode Fuzzy Hash: e0a3e9249695c33642fe1b810b677a89249d3529554e1c7d2b24d83e83fbeb9d
Instruction Fuzzy Hash: 025164B0D046898FDB14CFAAC9887DEBBF1EF89314F24815AE059A7360D7745944CF25

Uniqueness

Uniqueness Score: -1.00%

Function 00CE7098, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00CE70F8
GetCurrentThread.KERNEL32 ref: 00CE7135
GetCurrentProcess.KERNEL32 ref: 00CE7172
GetCurrentThreadId.KERNEL32 ref: 00CE71CB

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8a145bcdbd80d1ad3eb7153b06b1624378dd80b0ed6b2979e97b1d9d117fdc88
Instruction ID: 73cbfdf6fcb230a3dbe96866c49d90ebd990fee19deb267f7c6f006f1f29acdd
Opcode Fuzzy Hash: 8a145bcdbd80d1ad3eb7153b06b1624378dd80b0ed6b2979e97b1d9d117fdc88
Instruction Fuzzy Hash: 6A5164B0D003498FDB14CFAAC5487DEBBF4AF48304F208159E019A7360D7745944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC0B2, Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEC306

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6a12da56295d3853a43ed965c79f92279904f6f3b2c86d4141557cc08af1780b
Instruction ID: ce6da0af5fcc57c83a5496a1be03d25ff33c3aff74f295b24c482347b489169c
Opcode Fuzzy Hash: 6a12da56295d3853a43ed965c79f92279904f6f3b2c86d4141557cc08af1780b
Instruction Fuzzy Hash: C2816670A00B418FDB24DF6AC48179ABBF1BF88304F00892EE496DBA51D735E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE16E, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00CEE28A

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 51d3574066961292b4507454363e82e42db246f02f1c949356a15d3bd394397d
Instruction ID: bc3e36600a8ccf79c5da7bc8374a5556a6d1383f24bd0eeac8ead59fd6e99692
Opcode Fuzzy Hash: 51d3574066961292b4507454363e82e42db246f02f1c949356a15d3bd394397d
Instruction Fuzzy Hash: 9851DFB1D003499FDF15CFAAC884ADEBBB5FF48354F24812AE919AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE178, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00CEE28A

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4ef0d1923cb7ac376e4c891713a0a762564ccedcda233179602b821f03e47e81
Instruction ID: a530c8142d23dd70a38d312e755696bd9efa29f78bcddb538f77df5b12295629
Opcode Fuzzy Hash: 4ef0d1923cb7ac376e4c891713a0a762564ccedcda233179602b821f03e47e81
Instruction Fuzzy Hash: 3D41BFB1D00359DFDF14CF9AC884ADEBBB5BF88354F24812AE919AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE72B8, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CE7347

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d9723e9d48b58981aa46e08067ac1ba60e5880db733801c07b88eada47e0c6bf
Instruction ID: 9dfeede63f4cf813bd15aa6b356a5f9358af7983708cfd808d4bed4577883324
Opcode Fuzzy Hash: d9723e9d48b58981aa46e08067ac1ba60e5880db733801c07b88eada47e0c6bf
Instruction Fuzzy Hash: D121E3B5D00249AFDB50CFAAD884AEEFBF5FB48320F14811AE914A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CE72C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CE7347

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d63641f8d0390dca1299eac8d17ea68713d58cf888833a3830c2a5b1f43f252a
Instruction ID: ca66caec888f1136887135684220788c7f15b36ba97d0b92e4c2a991c94a1173
Opcode Fuzzy Hash: d63641f8d0390dca1299eac8d17ea68713d58cf888833a3830c2a5b1f43f252a
Instruction Fuzzy Hash: 1721C2B5D002499FDB10CFAAD884ADEBBF9FB48324F14841AE914A7310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC520, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CEC381,00000800,00000000,00000000), ref: 00CEC592

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 69bc1ca3046445c05fa501217119fb2da578e4caaf6a8863754517c90a361f63
Instruction ID: 17c780e875233e07a2fa2872045afa20ed30b81d67b37da2b57823c08ed987eb
Opcode Fuzzy Hash: 69bc1ca3046445c05fa501217119fb2da578e4caaf6a8863754517c90a361f63
Instruction Fuzzy Hash: 9A1117B6D003498FCB14CF9AD444ADEFBF4AF88310F14842ED825A7610D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEB420, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CEC381,00000800,00000000,00000000), ref: 00CEC592

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9b6fd190ca6fbe268dee958bc264120b234c2077039f83977d44c47c1285c44b
Instruction ID: 56eb7c45299801d953f36b8b6d5974cbf208ae1b4c955b6f1330d1e9d72034e3
Opcode Fuzzy Hash: 9b6fd190ca6fbe268dee958bc264120b234c2077039f83977d44c47c1285c44b
Instruction Fuzzy Hash: A81114B2D003498FCB10CF9AD484ADEFBF4EB98350F14842AE925A7600D3B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010C1E78, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 010C1EDD

Memory Dump Source

Source File: 0000000B.00000002.442619412.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8ca86eef74ad5ca1e9c74760829cebd1048a44b3a29efd7e1dccc560759e8638
Instruction ID: 38108148badaf7ebaace0b4e4b54a83a7d605f3bd01dcacbc60f1f363733674b
Opcode Fuzzy Hash: 8ca86eef74ad5ca1e9c74760829cebd1048a44b3a29efd7e1dccc560759e8638
Instruction Fuzzy Hash: 4411F2B58003099FDB10DF9AD889BDFBBF8FB48724F14845AE958A7600D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE3B8, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CEE41D

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 879181f89ede8f12c1897d97c5d042ea0141bdf715a77e5872c8270eaab6dc56
Instruction ID: 50aa56184d36a804fe27b21862c1f5a78eaaadce0672840c134d2cc9fdd6db27
Opcode Fuzzy Hash: 879181f89ede8f12c1897d97c5d042ea0141bdf715a77e5872c8270eaab6dc56
Instruction Fuzzy Hash: 881133B18002488FDB10CF9AD484BDEBBF8EF89324F14841AD959AB700C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC2A0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CEC306

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51a61c9e402013f153f2cf19651e8bb40a33f971ed82aa8c273e35059576f8cb
Instruction ID: f671359cf95f235bf2ed57fc137221ca98663637020ed1a7c677ac6edc407bed
Opcode Fuzzy Hash: 51a61c9e402013f153f2cf19651e8bb40a33f971ed82aa8c273e35059576f8cb
Instruction Fuzzy Hash: C111DFB6D007498FDB10CF9AD484ADEFBF4AB88324F14851AD829B7610D3B4A546CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CEE3C0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CEE41D

Memory Dump Source

Source File: 0000000B.00000002.442052513.0000000000CE0000.00000040.00000001.sdmp, Offset: 00CE0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ea906531b74e7e6115a15c09bed952d648ca2c2f0c2c4ae65a10829b813bc9f6
Instruction ID: 4718e86083c6e435373fd78fd5c1444cc6f6caf889517c84c89f97eab9bd6d8f
Opcode Fuzzy Hash: ea906531b74e7e6115a15c09bed952d648ca2c2f0c2c4ae65a10829b813bc9f6
Instruction Fuzzy Hash: 2C1112B58002498FDB10CF9AD484BDEFBF8EB88320F10841AE919A7740C3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010C1E80, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 010C1EDD

Memory Dump Source

Source File: 0000000B.00000002.442619412.00000000010C0000.00000040.00000001.sdmp, Offset: 010C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d26e7787c622fc14a5bcc1a7d43500f89341b7a74d098012ceaa8109ed101a65
Instruction ID: ab0e0bdfe0571174efc9f81478db71b9370c5d20b4d3f0661cfddade33d14845
Opcode Fuzzy Hash: d26e7787c622fc14a5bcc1a7d43500f89341b7a74d098012ceaa8109ed101a65
Instruction Fuzzy Hash: E411D0B58002499FDB10DF9AD885BDEBBF8FB48724F14845AE958A7600D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.441750751.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7fd05c1738cd5c84843b9a3c209c58598bb508e080b154b20ab93bd25ab718
Instruction ID: 9d8b47641281ce74e7b1add26483a7c4f0aa9eee3d9292f7e5578907120e4d98
Opcode Fuzzy Hash: 4f7fd05c1738cd5c84843b9a3c209c58598bb508e080b154b20ab93bd25ab718
Instruction Fuzzy Hash: F82128B1504300DFDB05CF14D9C0B97BF66FB99328F248569E8064B346C336D996EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.441822511.0000000000C2D000.00000040.00000001.sdmp, Offset: 00C2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcebce018d05a63098de2d289f4fd4600d99295661e2009b78df79abcc55e4cc
Instruction ID: addefc832919a2f010b044cbb30e21184caa2b3602c21c8db59059eb9e968397
Opcode Fuzzy Hash: dcebce018d05a63098de2d289f4fd4600d99295661e2009b78df79abcc55e4cc
Instruction Fuzzy Hash: D2210771904200EFDB05CF54E5C4B16BB65FB94314F24C9ADE80A4BB42C736DC46CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.441822511.0000000000C2D000.00000040.00000001.sdmp, Offset: 00C2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2268eb023aa9a32ddf60f28c67a4a365049b41b38fd3f003abdc84530b1c276
Instruction ID: 2da926961765f48df691cfa5c51a30e0f022bcc880b5d9837675368f9b9c1541
Opcode Fuzzy Hash: c2268eb023aa9a32ddf60f28c67a4a365049b41b38fd3f003abdc84530b1c276
Instruction Fuzzy Hash: 6B213475904340DFDB10CF14E8C4B16BB65FB98324F20C9A9E80A4BB66C73AD847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.441822511.0000000000C2D000.00000040.00000001.sdmp, Offset: 00C2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c67f25113f86f1db943b743b04c519c7a1299711a95610a3dfe745a27d2aa4d
Instruction ID: d8f09c078f9ad63da9c73782108f62f9e6d0678dcd2155dcf3be090a47369333
Opcode Fuzzy Hash: 8c67f25113f86f1db943b743b04c519c7a1299711a95610a3dfe745a27d2aa4d
Instruction Fuzzy Hash: 14218E755093C08FCB12CF24D994B15BF71EB56314F28C5EBD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.441750751.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: 8aec9cb13a7cb6a96bc9ad4cd92eec5660affd66988e3840180df2b9255a61d8
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: 1C11D3B6404280CFCB16CF14D5C4B56BF72FB95324F2486A9D8060B756C33AD99ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.441822511.0000000000C2D000.00000040.00000001.sdmp, Offset: 00C2D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction ID: a3f035016c7766ac5cf8d09cdc110ec9d98359548690a36b0628a1ba487acae5
Opcode Fuzzy Hash: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction Fuzzy Hash: EF118B75904280DFDB12CF14D5C4B15BBA1FB94324F28C6AED84A4BA56C33AD94ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D771, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.441750751.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0660d6d40db9aaae72747038c170f62ed13d6e232c4a21ec24f0eeade995e44
Instruction ID: c7e6f2aebe2fa7636ed1b0461ba4bb00e1feab254aa915c96954fb0a112ceec8
Opcode Fuzzy Hash: c0660d6d40db9aaae72747038c170f62ed13d6e232c4a21ec24f0eeade995e44
Instruction Fuzzy Hash: F401F771509344AEE7108A16DC807E6FBDCEF52774F18845AED064F28AD7789884E6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D770, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.441750751.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9b07283a0c638fbad5c045fa29bee485b96a466a1a26e3df79b92eb3a9af65
Instruction ID: 49f18d1014cae6562e1f2e2e1caaa5e483ad08c6e3c6651ca590c862b4d35e7a
Opcode Fuzzy Hash: 8a9b07283a0c638fbad5c045fa29bee485b96a466a1a26e3df79b92eb3a9af65
Instruction Fuzzy Hash: 04F0C272404248AEEB108A15DC84BA2FBDCEB51734F18C45AED090B686D3789884CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report OMANTECH PRODUCTS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre