Play interactive tour

Edit tour

Windows Analysis Report Euro invoice.exe

Overview

General Information

Sample Name:	Euro invoice.exe
Analysis ID:	528711
MD5:	15f79ec8cfa1ad6c24767d4ca45aa4cd
SHA1:	3b48453cc5680c048880bb0c4f0f19f34fdf1da7
SHA256:	49d22404c910a5bd1b6e13d92bb411b826edfc42fd680cfaa90ffb23ecc3a195
Tags:	agentteslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Euro invoice.exe (PID: 5764 cmdline: "C:\Users\user\Desktop\Euro invoice.exe" MD5: 15F79EC8CFA1AD6C24767D4CA45AA4CD)

RegSvcs.exe (PID: 5620 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 6692 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 6980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

kprUEGC.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

kprUEGC.exe (PID: 3932 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "support25@vrlogistic.net", "Password": "support25!@#$", "Host": "mail.vrlogistic.net"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.555012812.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.555012812.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000000.301228318.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.301228318.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000000.301544844.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000000.301544844.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Euro invoice.exe PID: 5764	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Euro invoice.exe PID: 5764	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6980	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
5.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Euro invoice.exe.43f4370.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Euro invoice.exe.43f4370.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Euro invoice.exe.442a590.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Euro invoice.exe.442a590.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Euro invoice.exe.442a590.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Euro invoice.exe.442a590.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.Euro invoice.exe.43f4370.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.Euro invoice.exe.43f4370.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 15 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Euro invoice.exe" , ParentImage: C:\Users\user\Desktop\Euro invoice.exe, ParentProcessId: 5764, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5620

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Euro invoice.exe" , ParentImage: C:\Users\user\Desktop\Euro invoice.exe, ParentProcessId: 5764, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5620

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.Euro invoice.exe.442a590.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "support25@vrlogistic.net", "Password": "support25!@#$", "Host": "mail.vrlogistic.net"}

Multi AV Scanner detection for submitted file

Show sources

Source: Euro invoice.exe

ReversingLabs: Detection: 33%

Source: 5.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8

Source: Euro invoice.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Euro invoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.504305930.0000000005D48000.00000004.00000001.sdmp, kprUEGC.exe, 0000000B.00000000.366836955.0000000000A12000.00000002.00020000.sdmp, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr
Source:	Binary string: RegSvcs.pdb source: kprUEGC.exe, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49840 -> 148.66.138.164:587

Source: Joe Sandbox View

ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: global traffic

TCP traffic: 192.168.2.3:49840 -> 148.66.138.164:587

Source: global traffic

TCP traffic: 192.168.2.3:49840 -> 148.66.138.164:587

Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://Fedebu.com
Source: RegSvcs.exe, 00000005.00000002.558309682.0000000005D30000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft.co)X
Source: RegSvcs.exe, 00000005.00000002.557542494.0000000002E8A000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.557645745.0000000002EC1000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.557664034.0000000002ECD000.00000004.00000001.sdmp	String found in binary or memory: http://k5CVS3sUuqbD95uELlH.net
Source: RegSvcs.exe, 00000005.00000002.557645745.0000000002EC1000.00000004.00000001.sdmp	String found in binary or memory: http://mail.vrlogistic.net
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.vrlogistic.net

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Euro invoice.exe

.NET source code contains very large array initializations

Show sources

Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs	Large array initialization: .cctor: array initializer size 11964
Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs	Large array initialization: .cctor: array initializer size 11964
Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs	Large array initialization: .cctor: array initializer size 11964
Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs	Large array initialization: .cctor: array initializer size 11964
Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs	Large array initialization: .cctor: array initializer size 11964
Source: 5.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.cs	Large array initialization: .cctor: array initializer size 11964

Source: Euro invoice.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_0319A710	1_2_0319A710
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_031904D8	1_2_031904D8
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_03190856	1_2_03190856
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_031918F0	1_2_031918F0
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_03191C02	1_2_03191C02
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_03190880	1_2_03190880
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_03191991	1_2_03191991
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_05FB0AE0	1_2_05FB0AE0
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_05FB8330	1_2_05FB8330
Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_05FB8320	1_2_05FB8320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010A85C8	5_2_010A85C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010A3960	5_2_010A3960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010A8D08	5_2_010A8D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010ACDA8	5_2_010ACDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_010A8E08	5_2_010A8E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_013047A0	5_2_013047A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_01304718	5_2_01304718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05536508	5_2_05536508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05537120	5_2_05537120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05536850	5_2_05536850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_055390D8	5_2_055390D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05532260	5_2_05532260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05532229	5_2_05532229

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 0553BEB8 appears 48 times

Source: Euro invoice.exe	Binary or memory string: OriginalFilename vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.307877674.0000000005FA0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameInnerException.dll" vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexXvmOuTrUsJTERPkUCRhPLSavHyJIBpEM.exe4 vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamexXvmOuTrUsJTERPkUCRhPLSavHyJIBpEM.exe4 vs Euro invoice.exe
Source: Euro invoice.exe, 00000001.00000002.308107167.0000000006770000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll@ vs Euro invoice.exe
Source: Euro invoice.exe	Binary or memory string: OriginalFilenameFileSecurityStateAcce.exe. vs Euro invoice.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: Euro invoice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Euro invoice.exe

ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\Euro invoice.exe

File read: C:\Users\user\Desktop\Euro invoice.exe:Zone.Identifier

Jump to behavior

Source: Euro invoice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Euro invoice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Euro invoice.exe "C:\Users\user\Desktop\Euro invoice.exe"
Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Euro invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Euro invoice.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@11/6@1/1

Source: C:\Users\user\Desktop\Euro invoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Euro invoice.exe	Mutant created: \Sessions\1\BaseNamedObjects\bSIqof
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
Source: C:\Users\user\Desktop\Euro invoice.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01

Source: Euro invoice.exe	String found in binary or memory: views/addcustomer.baml
Source: Euro invoice.exe	String found in binary or memory: views/addbook.baml
Source: Euro invoice.exe	String found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml

Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Euro invoice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Euro invoice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Euro invoice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.504305930.0000000005D48000.00000004.00000001.sdmp, kprUEGC.exe, 0000000B.00000000.366836955.0000000000A12000.00000002.00020000.sdmp, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr
Source:	Binary string: RegSvcs.pdb source: kprUEGC.exe, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Euro invoice.exe, u002d/li1lll1i1IIl.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Euro invoice.exe.e70000.0.unpack, u002d/li1lll1i1IIl.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Euro invoice.exe.e70000.0.unpack, u002d/li1lll1i1IIl.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Euro invoice.exe	Code function: 1_2_05FB7003 pushad ; ret	1_2_05FB7019
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0553EC22 pushad ; ret	5_2_0553EC69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05537AE8 push 8BF04589h; iretd	5_2_05537B74
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 11_2_02C1049B push esp; ret	11_2_02C1049E
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Code function: 11_2_02C10438 push ebx; ret	11_2_02C10442

Source: initial sample

Static PE information: section name: .text entropy: 7.91256606252

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Euro invoice.exe PID: 5764, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Euro invoice.exe, 00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmp, Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Euro invoice.exe, 00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmp, Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -239828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 3076	Thread sleep count: 3501 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 3076	Thread sleep count: 1881 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 4448	Thread sleep time: -35344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -239719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -239609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -239499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -239391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -239281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -239141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -239016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -238906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -238750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -238625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -238516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -238391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -238262s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -238155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -238046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -237750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -237344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -237219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -237109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -237000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -236891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -236781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -236672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -236563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -236250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -236000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -235828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -235719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -235594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -235344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -235047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -234891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -234750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -234438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -234124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -234016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 5804	Thread sleep time: -233904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe TID: 6948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239828	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239719	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239609	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239499	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239391	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239281	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239141	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239016	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238906	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238750	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238625	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238516	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238391	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238262	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238155	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238046	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237750	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237344	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237219	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237109	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237000	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236891	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236781	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236672	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236563	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236250	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236000	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235828	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235719	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235594	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235344	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235047	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234891	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234750	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234438	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234124	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234016	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 233904	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Euro invoice.exe	Window / User API: threadDelayed 3501	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Window / User API: threadDelayed 1881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8460	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Euro invoice.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239828	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 35344	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239719	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239609	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239499	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239391	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239281	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239141	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 239016	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238906	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238750	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238625	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238516	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238391	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238262	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238155	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 238046	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237750	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237344	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237219	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237109	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 237000	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236891	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236781	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236672	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236563	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236250	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 236000	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235828	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235719	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235594	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235344	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 235047	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234891	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234750	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234438	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234124	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 234016	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 233904	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000005.00000002.558309682.0000000005D30000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Euro invoice.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_010A1668 LdrInitializeThunk,

5_2_010A1668

Source: C:\Users\user\Desktop\Euro invoice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: RegSvcs.exe, 00000005.00000002.556525768.0000000001520000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000005.00000002.556525768.0000000001520000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000005.00000002.556525768.0000000001520000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000005.00000002.556525768.0000000001520000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Users\user\Desktop\Euro invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Euro invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Euro invoice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Euro invoice.exe.43f4370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Euro invoice.exe.442a590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Euro invoice.exe.442a590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Euro invoice.exe.43f4370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.555012812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.301228318.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.301544844.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Euro invoice.exe PID: 5764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6980, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6980, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Euro invoice.exe.43f4370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Euro invoice.exe.442a590.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Euro invoice.exe.442a590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Euro invoice.exe.43f4370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.555012812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.301228318.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.301544844.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Euro invoice.exe PID: 5764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6980, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection12	File and Directory Permissions Modification1	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	Credentials in Registry1	Security Software Discovery211	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information11	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Virtualization/Sandbox Evasion131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing13	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion131	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection12	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Euro invoice.exe	33%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.RegSvcs.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.2.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
5.0.RegSvcs.exe.400000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.microsoft.co)X	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://Fedebu.com	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://k5CVS3sUuqbD95uELlH.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://mail.vrlogistic.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.vrlogistic.net	148.66.138.164	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoft.co)X	RegSvcs.exe, 00000005.00000002.558309682.0000000005D30000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://Fedebu.com	RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%GETMozilla/5.0	RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://DynDns.comDynDNS	RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://k5CVS3sUuqbD95uELlH.net	RegSvcs.exe, 00000005.00000002.557542494.0000000002E8A000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.557645745.0000000002EC1000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.557664034.0000000002ECD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%$	RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://mail.vrlogistic.net	RegSvcs.exe, 00000005.00000002.557645745.0000000002EC1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
148.66.138.164	mail.vrlogistic.net	Singapore		26496	AS-26496-GO-DADDY-COM-LLCUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528711
Start date:	25.11.2021
Start time:	17:40:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Euro invoice.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@11/6@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.2%) Quality average: 26% Quality standard deviation: 26.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 116 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/528711/sample/Euro invoice.exe

Simulations

Behavior and APIs

Time	Type	Description
17:41:21	API Interceptor	40x Sleep call for process: Euro invoice.exe modified
17:41:35	API Interceptor	752x Sleep call for process: RegSvcs.exe modified
17:41:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
17:41:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
148.66.138.164	41Scan007.exe	Get hash	malicious	Browse	innovativewebtechnology.com/dev/Panel/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.vrlogistic.net	Euro invoice.exe	Get hash	malicious	Browse	148.66.138.164
mail.vrlogistic.net	Euro invoice.exe	Get hash	malicious	Browse	148.66.138.164

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-26496-GO-DADDY-COM-LLCUS	Akiru.arm7	Get hash	malicious	Browse	192.186.196.248
	xDG1WDcI0o.exe	Get hash	malicious	Browse	173.201.185.205
	RFQ_PO-330758290144.xlsx	Get hash	malicious	Browse	166.62.110.60
	Arrival Notice, CIA Awb Inv Form.pdf.exe	Get hash	malicious	Browse	184.168.98.97
	Euro invoice.exe	Get hash	malicious	Browse	148.66.138.164
	New Order778880.exe	Get hash	malicious	Browse	173.201.188.238
	c0az1l4js3001lsk4xd9n.x86-20211124-0850	Get hash	malicious	Browse	192.169.147.26
	Euro invoice.exe	Get hash	malicious	Browse	148.66.138.164
	DHL express 5809439160_pdf.exe	Get hash	malicious	Browse	184.168.96.165
	Payment transfer.exe	Get hash	malicious	Browse	148.66.138.249
	k6j1IMWw7Q.exe	Get hash	malicious	Browse	184.168.119.143
	704.doc	Get hash	malicious	Browse	148.72.96.3
	nHSmNKw7PN.exe	Get hash	malicious	Browse	184.168.119.143
	New Order 000112221.exe	Get hash	malicious	Browse	173.201.188.238
	1711.doc	Get hash	malicious	Browse	72.167.40.83
	new order.exe	Get hash	malicious	Browse	107.180.56.180
	AD0eMpLdJo81Tjr.exe	Get hash	malicious	Browse	184.168.96.165
	202111161629639000582.exe	Get hash	malicious	Browse	45.40.150.136
	UNPDMVX63128.vbs	Get hash	malicious	Browse	104.238.97.193
	QLTWPAU89862.vbs	Get hash	malicious	Browse	104.238.97.193

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe	NEW ORDER EN31628 EN31630.exe	Get hash	malicious	Browse
	purchase order.exe	Get hash	malicious	Browse
	TS#U007e039873663-30987637393.exe	Get hash	malicious	Browse
	ERIG_0983763673-093876536783.exe	Get hash	malicious	Browse
	Euro invoice.exe	Get hash	malicious	Browse
	Shipping Document BL Draft.exe	Get hash	malicious	Browse
	incorrect payment information.exe	Get hash	malicious	Browse
	TransactionSummary_22-11-2021.exe	Get hash	malicious	Browse
	SWIFT COPY.exe	Get hash	malicious	Browse
	TT COPY.exe	Get hash	malicious	Browse
	Payment Advice 50053945.exe	Get hash	malicious	Browse
	750845PaymentReceipt.exe	Get hash	malicious	Browse
	Copy BL and Debit Note.exe	Get hash	malicious	Browse
	QUOTATION.exe	Get hash	malicious	Browse
	PO_SBK4128332S.exe	Get hash	malicious	Browse
	New order - C.S.I No. 0987.exe	Get hash	malicious	Browse
	Bank payment swift message.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	HSBC Payment Advice.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Euro invoice.exe.log Download File
Process:	C:\Users\user\Desktop\Euro invoice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2239
Entropy (8bit):	5.354287817410997
Encrypted:	false
SSDEEP:	48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
MD5:	913D1EEA179415C6D08FB255AE42B99D
SHA1:	E994C612C0596994AAE55FBCE35B7A4FBE312FD7
SHA-256:	473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
SHA-512:	768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: NEW ORDER EN31628 EN31630.exe, Detection: malicious, Browse Filename: purchase order.exe, Detection: malicious, Browse Filename: TS#U007e039873663-30987637393.exe, Detection: malicious, Browse Filename: ERIG_0983763673-093876536783.exe, Detection: malicious, Browse Filename: Euro invoice.exe, Detection: malicious, Browse Filename: Shipping Document BL Draft.exe, Detection: malicious, Browse Filename: incorrect payment information.exe, Detection: malicious, Browse Filename: TransactionSummary_22-11-2021.exe, Detection: malicious, Browse Filename: SWIFT COPY.exe, Detection: malicious, Browse Filename: TT COPY.exe, Detection: malicious, Browse Filename: Payment Advice 50053945.exe, Detection: malicious, Browse Filename: 750845PaymentReceipt.exe, Detection: malicious, Browse Filename: Copy BL and Debit Note.exe, Detection: malicious, Browse Filename: QUOTATION.exe, Detection: malicious, Browse Filename: PO_SBK4128332S.exe, Detection: malicious, Browse Filename: New order - C.S.I No. 0987.exe, Detection: malicious, Browse Filename: Bank payment swift message.exe, Detection: malicious, Browse Filename: SOA.exe, Detection: malicious, Browse Filename: SOA.exe, Detection: malicious, Browse Filename: HSBC Payment Advice.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	835
Entropy (8bit):	4.694294591169137
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
MD5:	6EB47C1CF858E25486E42440074917F2
SHA1:	6A63F93A95E1AE831C393A97158C526A4FA0FAAE
SHA-256:	9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
SHA-512:	08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.903234436272546
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Euro invoice.exe
File size:	508416
MD5:	15f79ec8cfa1ad6c24767d4ca45aa4cd
SHA1:	3b48453cc5680c048880bb0c4f0f19f34fdf1da7
SHA256:	49d22404c910a5bd1b6e13d92bb411b826edfc42fd680cfaa90ffb23ecc3a195
SHA512:	47a0d71ee92b6b34c98a7ce908de5495e83eec21d08994beb267bea12e754235bbd666b5b96e074b1f8fa1457ed23bb02b97ee8c195225825d4a3aa83b129da8
SSDEEP:	12288:AzCrhpHHt1znKv04ixBFmPJ3slZjzgtYGUPFJxN2wrRs4EKBDWkJwXQzEs1tZf4A:OCrhpHHt1znKv04i1its7stYGUtJxIsB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>M.a............................2.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47d732
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619F4D3E [Thu Nov 25 08:45:50 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7d6d8	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x5b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7b738	0x7b800	False	0.907718797444	data	7.91256606252	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7e000	0x5b8	0x600	False	0.432291666667	data	4.34905710586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7e0a0	0x364	data
RT_MANIFEST	0x7e404	0x1b4	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Rogers Peet
Assembly Version	8.0.6.0
InternalName	FileSecurityStateAcce.exe
FileVersion	5.6.0.0
CompanyName	Rogers Peet
LegalTrademarks
Comments
ProductName	Biblan
ProductVersion	5.6.0.0
FileDescription	Biblan
OriginalFilename	FileSecurityStateAcce.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/25/21-17:43:03.379334	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49840	587	192.168.2.3	148.66.138.164

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 17:43:01.267766953 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:01.523094893 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:01.523211002 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:01.787379980 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:01.787694931 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:02.043184996 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:02.043586969 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:02.299767017 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:02.300486088 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:02.565695047 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:02.570029020 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:02.827512980 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:02.828058004 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:03.120738983 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:03.121268988 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:03.377202988 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:03.377239943 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:03.379333973 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:03.379617929 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:03.380532980 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:03.380752087 CET	49840	587	192.168.2.3	148.66.138.164
Nov 25, 2021 17:43:03.636003971 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:03.733001947 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:03.743999958 CET	587	49840	148.66.138.164	192.168.2.3
Nov 25, 2021 17:43:03.793948889 CET	49840	587	192.168.2.3	148.66.138.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2021 17:43:01.202821970 CET	56236	53	192.168.2.3	8.8.8.8
Nov 25, 2021 17:43:01.252684116 CET	53	56236	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 25, 2021 17:43:01.202821970 CET	192.168.2.3	8.8.8.8	0x73c	Standard query (0)	mail.vrlogistic.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 25, 2021 17:43:01.252684116 CET	8.8.8.8	192.168.2.3	0x73c	No error (0)	mail.vrlogistic.net		148.66.138.164	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 25, 2021 17:43:01.787379980 CET	587	49840	148.66.138.164	192.168.2.3	220-sg3plcpnl0131.prod.sin3.secureserver.net ESMTP Exim 4.94.2 #2 Thu, 25 Nov 2021 09:43:01 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 25, 2021 17:43:01.787694931 CET	49840	587	192.168.2.3	148.66.138.164	EHLO 715575
Nov 25, 2021 17:43:02.043184996 CET	587	49840	148.66.138.164	192.168.2.3	250-sg3plcpnl0131.prod.sin3.secureserver.net Hello 715575 [84.17.52.63] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250-SMTPUTF8 250 HELP
Nov 25, 2021 17:43:02.043586969 CET	49840	587	192.168.2.3	148.66.138.164	AUTH login c3VwcG9ydDI1QHZybG9naXN0aWMubmV0
Nov 25, 2021 17:43:02.299767017 CET	587	49840	148.66.138.164	192.168.2.3	334 UGFzc3dvcmQ6
Nov 25, 2021 17:43:02.565695047 CET	587	49840	148.66.138.164	192.168.2.3	235 Authentication succeeded
Nov 25, 2021 17:43:02.570029020 CET	49840	587	192.168.2.3	148.66.138.164	MAIL FROM:<support25@vrlogistic.net>
Nov 25, 2021 17:43:02.827512980 CET	587	49840	148.66.138.164	192.168.2.3	250 OK
Nov 25, 2021 17:43:02.828058004 CET	49840	587	192.168.2.3	148.66.138.164	RCPT TO:<support25@vrlogistic.net>
Nov 25, 2021 17:43:03.120738983 CET	587	49840	148.66.138.164	192.168.2.3	250 Accepted
Nov 25, 2021 17:43:03.121268988 CET	49840	587	192.168.2.3	148.66.138.164	DATA
Nov 25, 2021 17:43:03.377239943 CET	587	49840	148.66.138.164	192.168.2.3	354 Enter message, ending with "." on a line by itself
Nov 25, 2021 17:43:03.380752087 CET	49840	587	192.168.2.3	148.66.138.164	.
Nov 25, 2021 17:43:03.743999958 CET	587	49840	148.66.138.164	192.168.2.3	250 OK id=1mqHpv-003rLX-6j

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Euro invoice.exe PID: 5764 Parent PID: 5248

General

Start time:	17:41:19
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\Euro invoice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Euro invoice.exe"
Imagebase:	0xe70000
File size:	508416 bytes
MD5 hash:	15F79EC8CFA1AD6C24767D4CA45AA4CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5620 Parent PID: 5764

General

Start time:	17:41:22
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x100000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6692 Parent PID: 5764

General

Start time:	17:41:24
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x3b0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6980 Parent PID: 5764

General

Start time:	17:41:25
Start date:	25/11/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0x7c0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.555012812.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.555012812.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.301228318.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.301228318.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.301544844.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.301544844.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: kprUEGC.exe PID: 7164 Parent PID: 3352

General

Start time:	17:41:56
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
Imagebase:	0xa10000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6040 Parent PID: 7164

General

Start time:	17:41:57
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: kprUEGC.exe PID: 3932 Parent PID: 3352

General

Start time:	17:42:04
Start date:	25/11/2021
Path:	C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
Imagebase:	0x8b0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5788 Parent PID: 3932

General

Start time:	17:42:05
Start date:	25/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Euro invoice.exe PID: 5764 Parent PID: 5248 Euro invoice.exeCOMMON

Executed Functions

Function 031918F0, Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

`Am, xrefs: 0319196D

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID: `Am
API String ID: 0-1095020249
Opcode ID: 3d1cc42959a03c073e946a96f510ffb8a28ff5a980c3fde3ff4511f934f7d2b4
Instruction ID: 5065e779b4903ce9fea4e6821f31d3dc5c6d27cbda663da8e168a53687a39664
Opcode Fuzzy Hash: 3d1cc42959a03c073e946a96f510ffb8a28ff5a980c3fde3ff4511f934f7d2b4
Instruction Fuzzy Hash: 65819C32F141259FDB14DBA9C880A9EB7F7AFC8650F1A8175E40ADB355DB30EC418B80

Uniqueness

Uniqueness Score: -1.00%

Function 03191C02, Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

, xrefs: 03191D2E

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 70d63e8dc0767537f9ca3107c5d3786ab6a854a4203f778039b173f0286afa5e
Instruction ID: 2ee3d80b8d4aa7350f69658dc5116055db7eda7da54de8a4fa5e34e3a16b56fa
Opcode Fuzzy Hash: 70d63e8dc0767537f9ca3107c5d3786ab6a854a4203f778039b173f0286afa5e
Instruction Fuzzy Hash: D751B332F002169FCB14CBB8C8845AEB7F2FBC9215B1985BAD505CB359DB30ED458791

Uniqueness

Uniqueness Score: -1.00%

Function 05FB0AE0, Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da27654b44026cf1d57c4e1358bb0f66e824f78af40f7450beee51f9fdbf99fe
Instruction ID: 49d8f5c3666a66a9ee62131d764d9a6870970ce18b6092d8fdb7af623eafbacc
Opcode Fuzzy Hash: da27654b44026cf1d57c4e1358bb0f66e824f78af40f7450beee51f9fdbf99fe
Instruction Fuzzy Hash: 2E424974B14218CFEB18DB75D859BEA77F6AB88304F0084A9D5069B391DB78DD82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0319A710, Relevance: .5, Instructions: 516COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0774df20a8ca40fd58e7aded9883383cab7918555ce2e9318aa3462fe434891b
Instruction ID: 36b1e1c00769a1ba1b6b69163628aa66b70ecc9157bf6631dfd3b96ed78a52bc
Opcode Fuzzy Hash: 0774df20a8ca40fd58e7aded9883383cab7918555ce2e9318aa3462fe434891b
Instruction Fuzzy Hash: 4902F631E142558FEF28DF78C5546BDBBF6AF88204F0A4467D8469B290CB38DC89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03190856, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc8eeaa5c8cb3709cf1756ecfc22b9af9bf60712ef847837b3bdbc45e4e41e4
Instruction ID: 5f60d79622e0fddec9202f07e5e0e632b2a3bc02c2fffef5d9fb7aefc4793425
Opcode Fuzzy Hash: 1dc8eeaa5c8cb3709cf1756ecfc22b9af9bf60712ef847837b3bdbc45e4e41e4
Instruction Fuzzy Hash: D8D18D75E042258FDB64CF69D884AAEB7F2BF8C305F05C669D406EB258DB30AD41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03190880, Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe041e98f1231fc19030efabc559516b733d1a4ae5a17e37a94a12944ca2c7b
Instruction ID: 6d5f8b42af6036338674e321bb725097be5be559d4aaaedd23b6d961461e6462
Opcode Fuzzy Hash: 9fe041e98f1231fc19030efabc559516b733d1a4ae5a17e37a94a12944ca2c7b
Instruction Fuzzy Hash: CCC19C35E042298FDB64CF69D8806AEB7F2BF8C305F05C669D406EB258DB30AD41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 031904D8, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c6d3e36b5cc42fe2b279cbc73ce9dcd6b351b506dea8dcbe6470b640e1d585
Instruction ID: 9d0434ee35ab5a688f641b47a341b1a447a7a6eef1b6d91cdd063451542f5695
Opcode Fuzzy Hash: 34c6d3e36b5cc42fe2b279cbc73ce9dcd6b351b506dea8dcbe6470b640e1d585
Instruction Fuzzy Hash: F471F6B8E4021E9FEF14CFA9D984AAEBBB1FF48310F10A559D502EB254DB319941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 03191991, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a375c0c9ff265c7846e7d3fac084c34c3e1a0b4adc0c7e7f4d3a53ea39820e
Instruction ID: 12fcfbcc74b555f400cbf0f78f0354e201e353f33b82c4595d516ac55475d104
Opcode Fuzzy Hash: c5a375c0c9ff265c7846e7d3fac084c34c3e1a0b4adc0c7e7f4d3a53ea39820e
Instruction Fuzzy Hash: 8F616B36F141259FD714DBA9CC80A9EB3E3AFC8614F5AC175E41A9B3A5DB30EC418B80

Uniqueness

Uniqueness Score: -1.00%

Function 05FB76C8, Relevance: 3.8, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

([n, xrefs: 05FB776B
$%>m, xrefs: 05FB7780
$%>m, xrefs: 05FB77BA

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID: $%>m$$%>m$([n
API String ID: 0-672775995
Opcode ID: 2e54a0d53791ce0e5994e253ba3c8805bfaf0d21a6496836add9dbb0bc9805ff
Instruction ID: ce0a31bca24817cf11c60905a2c6f8d7401e9dde2a249cae26cf0bd049c9db1a
Opcode Fuzzy Hash: 2e54a0d53791ce0e5994e253ba3c8805bfaf0d21a6496836add9dbb0bc9805ff
Instruction Fuzzy Hash: 7C317A35504341CFD311ABB9C8159EBBBF5EF92204708486AD285DF352EB60DD08CB93

Uniqueness

Uniqueness Score: -1.00%

Function 05FB7738, Relevance: 3.8, Strings: 3, Instructions: 67COMMON

Download Yara Rule

Strings

([n, xrefs: 05FB776B
$%>m, xrefs: 05FB7780
$%>m, xrefs: 05FB77BA

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID: $%>m$$%>m$([n
API String ID: 0-672775995
Opcode ID: a66a2d9af32ba1bee0661666b312da1ef182aa10e64f4c578eed85bd45ac3459
Instruction ID: bde5b15395dcbea189c21158d9fbf8364534b85785241e1831bfcf6dc597c2e6
Opcode Fuzzy Hash: a66a2d9af32ba1bee0661666b312da1ef182aa10e64f4c578eed85bd45ac3459
Instruction Fuzzy Hash: 4E21C3397002058FC710ABB9C5499EEB7F6EFC4204B448929D61ADB350DF74ED058B92

Uniqueness

Uniqueness Score: -1.00%

Function 05FB772B, Relevance: 3.8, Strings: 3, Instructions: 62COMMON

Download Yara Rule

Strings

([n, xrefs: 05FB776B
$%>m, xrefs: 05FB7780
$%>m, xrefs: 05FB77BA

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID: $%>m$$%>m$([n
API String ID: 0-672775995
Opcode ID: 451f7f56f07f42e94d09019d9b7d55feae79bf3eca20007ae44a3b4a48579eba
Instruction ID: 452d2990cf841d735b7807bb642924b68a6071a141cb9041be12a823dc7e6f94
Opcode Fuzzy Hash: 451f7f56f07f42e94d09019d9b7d55feae79bf3eca20007ae44a3b4a48579eba
Instruction Fuzzy Hash: E111D3396002058FC720EB69C5499EFB7FAEFC4204B448929D916DB390EF75ED05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 03196957, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 031969E2

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: ed414419b7cde24f6a3d08aad08c79c545abc166fef1089385c750955d6e51a4
Instruction ID: b62735c4f5c1a71ea7e242df09780744c47031a3b46bcb4e6285b26175d00da5
Opcode Fuzzy Hash: ed414419b7cde24f6a3d08aad08c79c545abc166fef1089385c750955d6e51a4
Instruction Fuzzy Hash: 202188B19003488FDF10CFA9C90A79EBFF8EB08328F14842AD445A3240D739A444CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 03196C07, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 03196C8D

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 46c994afcf4d15b35bcc3abf2ade7a83b701d8faff58303bd19ca7a0ac0db987
Instruction ID: 2563a03ba999eec13f19a0909c1663d23521774f6528a0eea0c20858eb124fef
Opcode Fuzzy Hash: 46c994afcf4d15b35bcc3abf2ade7a83b701d8faff58303bd19ca7a0ac0db987
Instruction Fuzzy Hash: 27218CB49143498FEF10DF99D5457DEBFF8EB08324F14882BE859A7241C739A504CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 03196968, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 031969E2

Memory Dump Source

Source File: 00000001.00000002.304006587.0000000003190000.00000040.00000001.sdmp, Offset: 03190000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: da85fb9f7b4c7fc6384d24597b249ef62bd5d549375e8ca4fe4ec59bafbaf1f0
Instruction ID: b2a535e6ee1e40bfd2fbb3c90ba1edb563da0ef5754f87ed1517694b7a691adf
Opcode Fuzzy Hash: da85fb9f7b4c7fc6384d24597b249ef62bd5d549375e8ca4fe4ec59bafbaf1f0
Instruction Fuzzy Hash: DF1156B1910349CFEF10DFA9C50A79EBFF8EB48328F14842AD445A3640DB39A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FBAF78, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

P, xrefs: 05FBB34A

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 4b3a4a20dc1611ef8bec0129b4c3fac62013fa286c5f40b1ed77fab0b96805cf
Instruction ID: dc51f5d3780d6ffe24ce31cc61e7422835b1959918cc005f14b138011f601d7d
Opcode Fuzzy Hash: 4b3a4a20dc1611ef8bec0129b4c3fac62013fa286c5f40b1ed77fab0b96805cf
Instruction Fuzzy Hash: F461A171B05214EBEB14CBA9C845BFEB7B2FF89305F14C126E4499B280DB788941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05FB7334, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

([n, xrefs: 05FB78DA

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID: ([n
API String ID: 0-978978442
Opcode ID: 2c6968f2f7ccd4129f619e6a26a861f44e201b20aeff12b52009a889fe028ec6
Instruction ID: d4d07513fa3ab630e9e2182dad987fe05e2e5a6cf2ced3f28fd6b06a43192f00
Opcode Fuzzy Hash: 2c6968f2f7ccd4129f619e6a26a861f44e201b20aeff12b52009a889fe028ec6
Instruction Fuzzy Hash: 3B41D4B1D01208DBDB10DFAAC584ADEFBB5FF48304F258529D409BB250D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05FB7834, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

([n, xrefs: 05FB78DA

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID: ([n
API String ID: 0-978978442
Opcode ID: 759128c3bcfbe5f1cf549ad0dadffc928b5a7afc9c438d99c17ac0140cff3f40
Instruction ID: 509120fdd9dfae149fcf19d36f5acea9668f6faac79795d28ac8105c26e9e0df
Opcode Fuzzy Hash: 759128c3bcfbe5f1cf549ad0dadffc928b5a7afc9c438d99c17ac0140cff3f40
Instruction Fuzzy Hash: 9F41F1B1D01208CBDB10DFAAC584ADEFBB5FF48304F25842AD408BB200D774AA4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 05FBA460, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

$,Bm, xrefs: 05FBA498

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID: $,Bm
API String ID: 0-3457116307
Opcode ID: 2112f9225f2ccd15891384b4ae09dc90a39a840cb0af77712a7e4542d2386385
Instruction ID: e5e67460ea4c6e0c9cf97aaee59b35338cfb341f646859f2d6447d6010a6370e
Opcode Fuzzy Hash: 2112f9225f2ccd15891384b4ae09dc90a39a840cb0af77712a7e4542d2386385
Instruction Fuzzy Hash: 55F086317401109FD724966E9849E7A7BD6FBC8610754406AF505CB390CF758D018792

Uniqueness

Uniqueness Score: -1.00%

Function 05FB2D0A, Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

Ah^, xrefs: 05FB2D0A

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID: Ah^
API String ID: 0-2951652281
Opcode ID: dc22ae09ccd2a2e6b129792f91e815f1a9e96d1e6fda95651e029f457f036dd1
Instruction ID: a2eb3bb67d3d4cdaada68b8d6e8d0ffafbac9966998af4abd2fa17ca6454daec
Opcode Fuzzy Hash: dc22ae09ccd2a2e6b129792f91e815f1a9e96d1e6fda95651e029f457f036dd1
Instruction Fuzzy Hash: B7E01A4AF081C06FE20606656D69EB57FA8979B545B8B60E5F1C09A3D2E2485C0397B1

Uniqueness

Uniqueness Score: -1.00%

Function 05FBAF68, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921ad82a3d0b4685560fdb5b5ca7e9b8aa24460f551f1ee07d7bad4d1ff68052
Instruction ID: cc9a949e4b98c75bee31472d042c61b4f578f3ec6059bd312122bfbd7ecbe038
Opcode Fuzzy Hash: 921ad82a3d0b4685560fdb5b5ca7e9b8aa24460f551f1ee07d7bad4d1ff68052
Instruction Fuzzy Hash: 3451A475F01214EFEB14CB99D845BFEB7B2FB89305F14C12AE5499B280DB748942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05FB4144, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020e2461602f9e6a137b6137f00b8f7971f16189a1abee50cfd4acb9ac315dc1
Instruction ID: 6be25c54126cdc3e3c2b926fb2f9d87bce94cb8c28e72d5cc4ca77c13cba4653
Opcode Fuzzy Hash: 020e2461602f9e6a137b6137f00b8f7971f16189a1abee50cfd4acb9ac315dc1
Instruction Fuzzy Hash: 53519031B102158FDB14EBB998488BFBBF6FFC4264B14892AE519D7350EF709D068791

Uniqueness

Uniqueness Score: -1.00%

Function 05FBC00D, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43412908c5703f1418dc4e4b4516b094ff7ed80ae7e1388ce10b99809863f45
Instruction ID: a6c72931ff3f659ca6d0836fa033efb7f006badedbfa8a420c79ccea4311322e
Opcode Fuzzy Hash: c43412908c5703f1418dc4e4b4516b094ff7ed80ae7e1388ce10b99809863f45
Instruction Fuzzy Hash: A6411836B08242CFEB118BAAD8403FBB7B6AF45645F094567E156DB291D2B8CC40DB12

Uniqueness

Uniqueness Score: -1.00%

Function 05FB3A28, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c8be1d346b7bd63c235cadfdb4d53bc747fac74dc8ef8def71cab5ae930700
Instruction ID: d4d1ceb3ecebbef486e2afedb544195b41b4374d712001c5e4127cb13bc0def1
Opcode Fuzzy Hash: 79c8be1d346b7bd63c235cadfdb4d53bc747fac74dc8ef8def71cab5ae930700
Instruction Fuzzy Hash: 13317E303007448FD710DF6AD886DAAB7E6EF84708B158969E2868F7B5DB71EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05FB3A38, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8eef366de50f68098ed1220be9f15c5c6a6e129c8491a301733c1aea5b2b69
Instruction ID: a3b295532bfe123ef6193fbd9cf102862ea0621128330169d8cea887e73af552
Opcode Fuzzy Hash: 8a8eef366de50f68098ed1220be9f15c5c6a6e129c8491a301733c1aea5b2b69
Instruction Fuzzy Hash: 01314B303007448FD710DF6AD985DAAB7EAEFC4708B158969E2868F7B5DB71EC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 05FB9258, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e166098538616a96b84154a4ea516186b9680187fbf9d90bdc33d8b3064c44dd
Instruction ID: ef123c9591ab2b8e1d4d17cbb57e2aa24d6ccad95be6d5a8f0c1b5c6dec37544
Opcode Fuzzy Hash: e166098538616a96b84154a4ea516186b9680187fbf9d90bdc33d8b3064c44dd
Instruction Fuzzy Hash: B1319334B542009FDB189B68E94AA7D3FA2EF89701B05807AF507CB3D1DEB98C42C751

Uniqueness

Uniqueness Score: -1.00%

Function 05FB2460, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d75e218300d5376cf915c0bacef9002dc8719efe6053b39434abc8e8138cfa
Instruction ID: 8dec851f6616d2886349900509b680f647759e4e2c1d27a4b589652c793c1052
Opcode Fuzzy Hash: 17d75e218300d5376cf915c0bacef9002dc8719efe6053b39434abc8e8138cfa
Instruction Fuzzy Hash: CD21263670A314DFD7255B7AD80469AB7ABEFC1615F0A84B6D504DB393DAB8CC0283D1

Uniqueness

Uniqueness Score: -1.00%

Function 05FBB6D2, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0307e1713d4918d4bb01da12222a05c6f03eac245b8b334afcdaaecdb84330e4
Instruction ID: 3a3d0233c2c7f5e9112d7482f7518b737f5ec911b2b9d17d3ad02ec6632cac5a
Opcode Fuzzy Hash: 0307e1713d4918d4bb01da12222a05c6f03eac245b8b334afcdaaecdb84330e4
Instruction Fuzzy Hash: A921D172A08655CBEB00CB6AC8513FEB7B6EB41310F248A67D4A6C62D1D3AC8951C792

Uniqueness

Uniqueness Score: -1.00%

Function 018FD054, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303766577.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731359020f19f061d7cb73e25e52877d761ac0f1a83d5f916aa1369270a5a0c9
Instruction ID: 20730168e26a1643bc56bfd9625537c76f6e768d7c0258f03177b4a4179cd71a
Opcode Fuzzy Hash: 731359020f19f061d7cb73e25e52877d761ac0f1a83d5f916aa1369270a5a0c9
Instruction Fuzzy Hash: A7210872500244DFCF15DF94D8C4B26BBA5FB88318F24C66DEB094B246C33AD956CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 018FD3D0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303766577.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e065e80638efb493c33579a3b1a525b808e849b2fa2533202b34f4a97063bd65
Instruction ID: be5c461cabd213af424189eba62d138ffdbf5ef37f8ffa0477e965612e5a70dd
Opcode Fuzzy Hash: e065e80638efb493c33579a3b1a525b808e849b2fa2533202b34f4a97063bd65
Instruction Fuzzy Hash: F2212B71500204DFCB05CF94D8C0B66BB65FB84714F24C66DDB058B246C336E516CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FD5AC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303766577.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6326785b6ccade2cef06eda792dfd153b13e9776b54914a2affae93189ac607a
Instruction ID: 5d73fa9afafa5af371d7e87ee5cd9a9f868eeeac2ed3fa0e7ab38ecf2674ce03
Opcode Fuzzy Hash: 6326785b6ccade2cef06eda792dfd153b13e9776b54914a2affae93189ac607a
Instruction Fuzzy Hash: C2213871500204DFCB01DF94D9C0B26BF65FB88328F20866DEA098B206C33AD556C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0190D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303808690.000000000190D000.00000040.00000001.sdmp, Offset: 0190D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2327cfcb6fa094f6877f057c414cda0d9ee6aaf29e7e587f412beaee918bf1f3
Instruction ID: 45da1a72da0d69264637b8d5966a91a4f3dbd920f6a6a0036d77e05917396923
Opcode Fuzzy Hash: 2327cfcb6fa094f6877f057c414cda0d9ee6aaf29e7e587f412beaee918bf1f3
Instruction Fuzzy Hash: 54210375604200DFDB16CF94D8C0B26BBF9EB84754F20C969D84D4B286C33AD807CA62

Uniqueness

Uniqueness Score: -1.00%

Function 05FB6FCC, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dc4a43f59f1b065a1b5a2ca33dca5e87694c29b257c65377499605ca129db4
Instruction ID: 80df35c39acd0e9cd492652f66f3748afdd317b683dcd2787e42f8df81a855b4
Opcode Fuzzy Hash: 12dc4a43f59f1b065a1b5a2ca33dca5e87694c29b257c65377499605ca129db4
Instruction Fuzzy Hash: 0D31C270D01218DFEB10DF9AD589BDEBBF4EB48314F24852AE405BB290C7B95845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05FB71C4, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c911f389210e01910fd398fc0069995a5db9bac01778325abebc5a981afac4f
Instruction ID: 4b5f267528d77b9195fe2a62fad0d09c271fab4b4cf400f12cb77ea3ce6557af
Opcode Fuzzy Hash: 6c911f389210e01910fd398fc0069995a5db9bac01778325abebc5a981afac4f
Instruction Fuzzy Hash: ED31C0B4D01218DFEB10DFAAC989BDEBFB4AB48314F24816AE404BB290C7B55945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05FB4135, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62a481991ab73eac1ca505d033bb0d23f2782c67fc3b76a65f2d49017cdcb72
Instruction ID: 0527ef39a2566dd4cd1ba1efe244394e2cec77e385786d518ff03b80343e808c
Opcode Fuzzy Hash: b62a481991ab73eac1ca505d033bb0d23f2782c67fc3b76a65f2d49017cdcb72
Instruction Fuzzy Hash: 0A11C475F002169F5B11EE6A8C449FFBBBBFBC42507144929E425D3340EF7499068761

Uniqueness

Uniqueness Score: -1.00%

Function 05FB4310, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bddc3ad6a94ffb0ac4debcf7541872c0c1509285815990302074ec942056d3b
Instruction ID: 89ae7a09049b02058dbd7c0def167007c9b868070f550a8fd408b4e2563ad8ed
Opcode Fuzzy Hash: 0bddc3ad6a94ffb0ac4debcf7541872c0c1509285815990302074ec942056d3b
Instruction Fuzzy Hash: 2711A331F04219CBCF54EBB999115FEB7F7AF88254B14417AC505EB241EB358D12CB91

Uniqueness

Uniqueness Score: -1.00%

Function 018FD04F, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303766577.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb28930c885192232a36f3b2b627e728ea8eda1dd60f5ce0f92158a18c8a9998
Instruction ID: 4b4bb95f178f212a04b688fb06f3f59d22ed72f33d6226dced3cffaa5d96b819
Opcode Fuzzy Hash: bb28930c885192232a36f3b2b627e728ea8eda1dd60f5ce0f92158a18c8a9998
Instruction Fuzzy Hash: DA21CD72404680DFCF16CF44D9C4B16BFB2FB88314F2882A9DA484B217C33AD566CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FD3CB, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303766577.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2d0f1679f4c89f571625e18d7d5f2d4adab21caf8ad97753c15d3883ad9fab
Instruction ID: 11e6b5ec7a84fbf7dc74b7378c5ae1de73ef2d39e7b439fb3bd0e637c7e697db
Opcode Fuzzy Hash: ee2d0f1679f4c89f571625e18d7d5f2d4adab21caf8ad97753c15d3883ad9fab
Instruction Fuzzy Hash: 9C21AF76504280DFCB16CF54D9C4B56BF71FB84324F24C2A9DE044B656C33AE56ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05FB701B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c5ab65ff7aa62ab8e1e95d18f5eb0afbe25438c8807b19228e7353e23c8694
Instruction ID: 034daacf8c247ad283a575c33e7f8442735440afd7f742e23d507f7c8ca6f1fd
Opcode Fuzzy Hash: 59c5ab65ff7aa62ab8e1e95d18f5eb0afbe25438c8807b19228e7353e23c8694
Instruction Fuzzy Hash: 3401A175F0021A9B5B10EA6A9C849BFB7FBFBC42A07148929E415D3340EF709A018761

Uniqueness

Uniqueness Score: -1.00%

Function 05FB9B13, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e97ae448147d70e514139c37517477451f7a7e5e29a5a01ba95353d21d5111
Instruction ID: 2132801b68f9fda198d619cf42c058eae662750f99febe6519e3e658629838af
Opcode Fuzzy Hash: 17e97ae448147d70e514139c37517477451f7a7e5e29a5a01ba95353d21d5111
Instruction Fuzzy Hash: 1D118170B45341DBE7115B25C94BBB97BA2AB41709F1880B9E21A8E2D2C7BD8846C711

Uniqueness

Uniqueness Score: -1.00%

Function 018FD5A7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303766577.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
Instruction ID: c8b4b9862a45da1b2bc5937d86b3a3a8d0b11b20218679a3b1022059a426516e
Opcode Fuzzy Hash: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
Instruction Fuzzy Hash: C3119D76504280CFCB12CF54D9C4B16BF62FB84324F2486A9DA094B656C33AD55ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0190D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303808690.000000000190D000.00000040.00000001.sdmp, Offset: 0190D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
Instruction ID: 095a6a80d76a8e37c18ee6c9d0265a2d91f8a7c13c9cd1500c7413c76d20d7ec
Opcode Fuzzy Hash: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
Instruction Fuzzy Hash: 9F11BB75504280CFCB12CF94D5C4B15BFB2FB84324F28C6AAD80D4B696C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05FB1D98, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e2593a25a2f8cff8812e4c85591567a9950c783331b94e62e98250719f0caf
Instruction ID: 9b4d75a57d352544884bb844843bedcd702c7e587f47352773870746f1245f57
Opcode Fuzzy Hash: a5e2593a25a2f8cff8812e4c85591567a9950c783331b94e62e98250719f0caf
Instruction Fuzzy Hash: AF11A031B042188BDB189BA5D864BEE76B6AB8D214F144429C502BB380CFB96C45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05FB1D8B, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be0ad364eb3dbb3941e99edf32e82693a2bea47b11d978891027ac786cf9c78
Instruction ID: 30f95d37cd43dbd2c09438b5112bc05d8a9be47dc5051bf118acae297452d92b
Opcode Fuzzy Hash: 2be0ad364eb3dbb3941e99edf32e82693a2bea47b11d978891027ac786cf9c78
Instruction Fuzzy Hash: 2411A531F04218DBEB159764D868BEE76B6EB8C354F144429C502FB384DFB95845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05FB6FD8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1e204cb0daf5f27bf175cbfa70b7bec4bcf54453b2eab5ba955f687161c56c
Instruction ID: de4a9d81f67ed208ebee68c5bc6c7301d9b32c065f9b3c7c7aff7161ce2b9884
Opcode Fuzzy Hash: 8e1e204cb0daf5f27bf175cbfa70b7bec4bcf54453b2eab5ba955f687161c56c
Instruction Fuzzy Hash: C011F5B5900648DFDB10DF9AD444BDEFBF8EB58324F14841AD559B7240C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05FB2530, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0bd678e7b855d4ce074dc75634129e96593c98dcf813adb95e653539d91d8d
Instruction ID: cedd218c212f9267136bdcd97397c0765711cc62bcd9301ce03c13f1133b825e
Opcode Fuzzy Hash: 6f0bd678e7b855d4ce074dc75634129e96593c98dcf813adb95e653539d91d8d
Instruction Fuzzy Hash: 94018C35A01209DFDB08DF69D959A9E7BF2EF8D300F104069E402E7361DB759D02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05FB7E23, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a14ba3d302e087f7e19ed5b2c7898dd13611c047727f59e5b67424e72a25a2
Instruction ID: 9452b70c43cecd094f87c759a9844dda515309c78a0847202aafc94c5027a921
Opcode Fuzzy Hash: 84a14ba3d302e087f7e19ed5b2c7898dd13611c047727f59e5b67424e72a25a2
Instruction Fuzzy Hash: 6511F2B5900648DFDB10DF9AC485BDEFBF8EB48324F24841AD559A7200C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FD955, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303766577.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac61b36265e9dce1417d84fb59d2bb3daab27d23485865e6228654e2e221e778
Instruction ID: 845c8d76fd0c862a14999e45e1ea377a3c2046208b1d1bea5f6a7d74381f56ab
Opcode Fuzzy Hash: ac61b36265e9dce1417d84fb59d2bb3daab27d23485865e6228654e2e221e778
Instruction Fuzzy Hash: D701F731208384AAE7114BD6CC847A6BFDDDF41728F18C61EEF089A282C378D944C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 05FB39A0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13170619e03a94f23a7e89a112b8abd1127680bdd47b5e094ae7a3de96bfda40
Instruction ID: bf018221f66733935c6a3d889b5511cdf4f5763ed9cebdbcf204addb9c52eebb
Opcode Fuzzy Hash: 13170619e03a94f23a7e89a112b8abd1127680bdd47b5e094ae7a3de96bfda40
Instruction Fuzzy Hash: 6F01A2352003019BC710DFAED8829DEB7AAEF84658704CE2ED58ACB651DB31ED0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 05FB2540, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f56b20bac9ea89178455bb761bbc78cb34e4b5b044b03b706f75ee334802c85
Instruction ID: 098cac4a1e00ee4d4cc998a4d81ca33315e7867c7f1f021cc8cfd49c3e70b5c5
Opcode Fuzzy Hash: 6f56b20bac9ea89178455bb761bbc78cb34e4b5b044b03b706f75ee334802c85
Instruction Fuzzy Hash: 7F012C35A01219DFDB08DF68D9599AA7BF2FF8D304F104469E402E7360DB759D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05FB7D08, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426b98c072b5003d08541c8056ed82aa60b0359f82612c2c06ca6e5e64a20bbd
Instruction ID: bae35df4e87692b0a1b24a09275dde97636a35e930ab83bc41098523bb596a28
Opcode Fuzzy Hash: 426b98c072b5003d08541c8056ed82aa60b0359f82612c2c06ca6e5e64a20bbd
Instruction Fuzzy Hash: 09F082767051242F9714976EDC85E6BB7EDEBCD661B55813AF90CC7311C9309C41C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 05FB39B0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0add728806516f1dad496a413c0bfecbe143d5c8e0a977ca2a3e1003e5cd4476
Instruction ID: aff706f8d25b6e7f4dfe496a9b1ae84d7ffd2d124fa7ac6ff7a53c4aa9f7f628
Opcode Fuzzy Hash: 0add728806516f1dad496a413c0bfecbe143d5c8e0a977ca2a3e1003e5cd4476
Instruction Fuzzy Hash: E6F086312003055B8710DF5AD4818DBB7BAEFC56543408E2ED18A8B250DB71FD0587D2

Uniqueness

Uniqueness Score: -1.00%

Function 05FB7C6F, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cf4e2657c4e75e947fd436defd26e394f09a72765db7330722d751a144287f
Instruction ID: b50d050fec6c8e3910de2cc4eff198b5bbe704feaa5bddb21f6cc6de4a83fb5d
Opcode Fuzzy Hash: 68cf4e2657c4e75e947fd436defd26e394f09a72765db7330722d751a144287f
Instruction Fuzzy Hash: 7F011AB0D05219DFEB15EF66C8083EEBAF1FB84310F118629E425AA290D7B84A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018FD954, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.303766577.00000000018FD000.00000040.00000001.sdmp, Offset: 018FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf8ea5b807f908394cc82e04e1477570f06af47722d74c2c43c162ddc20bd40
Instruction ID: 5dd5f5fdd6e9f56461d3666e90772bb73ab643f44b93f84a253ae8f260fb148f
Opcode Fuzzy Hash: 9cf8ea5b807f908394cc82e04e1477570f06af47722d74c2c43c162ddc20bd40
Instruction Fuzzy Hash: 0CF06271504344AAEB118E59CC84B66FFE8EB81734F18C55EEE485F287C3799944CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05FB7C78, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a7e746515c673442ae9e5d611535b29df8662ac59cc67f447d0fb663ff4568
Instruction ID: 0eaafa1069f1b566e1722f62201dab45b1a135c34ddd1f0e411f1a9a525b504e
Opcode Fuzzy Hash: 37a7e746515c673442ae9e5d611535b29df8662ac59cc67f447d0fb663ff4568
Instruction Fuzzy Hash: 0101DAB0D05219DFEB14EF66C8047EE7AB5FB84350F118529E425AA290D7B84A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05FB7D18, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ac1de0f04b6f4a5d459de635ab7c04ca7a579c58f2bfd49b400b24197d2085
Instruction ID: 8314e53b49ffe531e9bc99a2179e4c93e96fcc761bb182143f8a6d53fe56677d
Opcode Fuzzy Hash: 93ac1de0f04b6f4a5d459de635ab7c04ca7a579c58f2bfd49b400b24197d2085
Instruction Fuzzy Hash: 1FE039767001246F5718DAAED884C6BBBEEEBCD665355813AF90CC7310DA309C00C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 05FB72D0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38129f6255681f393253f8b58c91f192055ad582796d04c3172b599cb2e602a
Instruction ID: 2d5763f1a3abc877aa1bb54f100c15303840d56e629d276b26e30ad174f9ab0d
Opcode Fuzzy Hash: e38129f6255681f393253f8b58c91f192055ad582796d04c3172b599cb2e602a
Instruction Fuzzy Hash: E7E09234A11109DFDB40EFA8E686AADB771EF45308B214569CC48D7B44CB349F19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 05FBBFA8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312c67c5558c67f50dc3964312d3fe73b13d9e5ca021dcb7f2f52c7af3e3965f
Instruction ID: 5eda707cbc18b3d6323dcb2e3a419b79686b4ce6ab347ca0ba5db149bb363bbd
Opcode Fuzzy Hash: 312c67c5558c67f50dc3964312d3fe73b13d9e5ca021dcb7f2f52c7af3e3965f
Instruction Fuzzy Hash: E0E04F3070D2D09FC702CB78E4154953FB59F4A15171944EFE485CF663C5608D05C762

Uniqueness

Uniqueness Score: -1.00%

Function 05FB72E0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133c38717b4fe9e618c3fe52420e019fe7f1d1eca3b6bb9dcdd2b5aadd0ed526
Instruction ID: f4f9e11f0f5b2595faf78c4b55b38f61982bb77f69c1829ee6c76caa38ec4533
Opcode Fuzzy Hash: 133c38717b4fe9e618c3fe52420e019fe7f1d1eca3b6bb9dcdd2b5aadd0ed526
Instruction Fuzzy Hash: ABE08630B11209EF9B00DFA9F5068ADB7B6EB453147118569DC08D3B40DB356F10DF92

Uniqueness

Uniqueness Score: -1.00%

Function 05FBBFB8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b13e37b8c7109abd8305214f33095ba3874fb225a40236bd28aaebd497c1b8
Instruction ID: fa202e3e1c0944079c590ba7a35a802aec6f97b4a60ba28f013b15c0745d08d2
Opcode Fuzzy Hash: 79b13e37b8c7109abd8305214f33095ba3874fb225a40236bd28aaebd497c1b8
Instruction Fuzzy Hash: 12D0C9317101148FC704DB5DE4459A537EDEF8965575004BAF50ADB361EEA1AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05FB3123, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b30d7fe75195371be7bab099f16f07fdc4f124f4604a332417ce61ee8608766
Instruction ID: 8e2772bc7799d252b58db66f5afa6f1c7368b2b2f904256822a8e11728fec3d7
Opcode Fuzzy Hash: 2b30d7fe75195371be7bab099f16f07fdc4f124f4604a332417ce61ee8608766
Instruction Fuzzy Hash: 8BD0A5477445C443D743577D595578D3FC94F52254F4504DE84D94711BE508415BD70C

Uniqueness

Uniqueness Score: -1.00%

Function 05FB9228, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776e5d96739c742971657fc95ad182642ab9297f3aaf7302a35502af158fdb69
Instruction ID: c64d178374d27c05691e4b13726b9fb8039a7eded3fd73b9e41fb00903c9ecf4
Opcode Fuzzy Hash: 776e5d96739c742971657fc95ad182642ab9297f3aaf7302a35502af158fdb69
Instruction Fuzzy Hash: 14D0A7311081449FCB054F6CE8068FE3F73AF95301714C162F945CA576C7368E25D750

Uniqueness

Uniqueness Score: -1.00%

Function 05FB42D8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3483f47df8e8888bf916ff2215ab85fb0f445100d9606387c4f3f0f423fde820
Instruction ID: e74120be499ce46a0a2a88f08f8d8811cb80d6ffdbf7e1cd11f0fe755718168a
Opcode Fuzzy Hash: 3483f47df8e8888bf916ff2215ab85fb0f445100d9606387c4f3f0f423fde820
Instruction Fuzzy Hash: E0C08C76A050809FF787AB04DE05F857996EB6E204F0480E26C08DF172E229883C9B62

Uniqueness

Uniqueness Score: -1.00%

Function 05FB4124, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69dd0f41faa9762fad9827bb6668d15d033e16d0ddd83c255217a34a9136469
Instruction ID: 5db1e99108b6d3886d235dd1719d4a23aaf2f220f2edd6fc9a8cfd7b8ef25ab2
Opcode Fuzzy Hash: b69dd0f41faa9762fad9827bb6668d15d033e16d0ddd83c255217a34a9136469
Instruction Fuzzy Hash: BAC09B3B145110FF9F01E751CA4DC97B6E7FF557007418C55A18856031C766CC59EB16

Uniqueness

Uniqueness Score: -1.00%

Function 05FB9238, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b5f822d947fe830516487ce636405b85d0c276072e31ae41d140d4f51847e7
Instruction ID: 90939b1c7aabf5bf6c139b26ac4749e4fe407aea3d501507be6c463a6ab6cd97
Opcode Fuzzy Hash: 99b5f822d947fe830516487ce636405b85d0c276072e31ae41d140d4f51847e7
Instruction Fuzzy Hash: D3C04C35110108ABDB14AF59E80A8AEBF6AFF98261B10C131F85946261DF729D219B90

Uniqueness

Uniqueness Score: -1.00%

Function 05FB8CC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202e83d312907c232752efc4feeb62b2ca5ea33ba0249517eac66c610d482f8c
Instruction ID: 4870ebe203f605b2cdf16f3f2b464f303dda0ba22df2512d4132c3b3bbd0c66b
Opcode Fuzzy Hash: 202e83d312907c232752efc4feeb62b2ca5ea33ba0249517eac66c610d482f8c
Instruction Fuzzy Hash: D2B0928A60E7C80FCB0726740D6519A2A311AA7068BCF16C291A18B2FBFA188A084321

Uniqueness

Uniqueness Score: -1.00%

Function 05FB3940, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8433bfa1fd4134e3b09b38ce41415a30ece46af9af500570bf355c1b72ee64db
Instruction ID: 9de20c251b56fc2850950a450e19ae2b3c8d22801204344d15c97a99b553c2cd
Opcode Fuzzy Hash: 8433bfa1fd4134e3b09b38ce41415a30ece46af9af500570bf355c1b72ee64db
Instruction Fuzzy Hash: 6DA0029A563504AAEA5023769C573891750DB60913FCF6D524410C4341CC485043D031

Uniqueness

Uniqueness Score: -1.00%

Function 05FB2520, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37fa2c4b25c90fedda369ee33962fc46b1138c5811620e710add117a99e31e3
Instruction ID: 5b341190c77585658557a2ac94e766b1a328ed5906a4ff1de745a14f7d5a293c
Opcode Fuzzy Hash: e37fa2c4b25c90fedda369ee33962fc46b1138c5811620e710add117a99e31e3
Instruction Fuzzy Hash: 43B092301502088F82409A59D445C007BA8AF08A143410090E1088B632C621F8008A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05FB8320, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f7b12bd1444d199f0b209dc18ba1612219bdbfc40711af15751082fa844800
Instruction ID: 28691e4d293ca382c9874a1c10aec10b0580f2d223a79cc5a4cbc97e0bd5d185
Opcode Fuzzy Hash: 97f7b12bd1444d199f0b209dc18ba1612219bdbfc40711af15751082fa844800
Instruction Fuzzy Hash: 6FD13830D2475ACACB10EBA8D890AEDB771FF95200F61CB9AD14977254EB706EC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05FB8330, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.307885632.0000000005FB0000.00000040.00000001.sdmp, Offset: 05FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e19d70b4451fdc3c46a59fac8f5fe4f09b289b5bb0aa25763ed6e0e3998dfbf
Instruction ID: 2044cb15b66098ad6849e2d24a930ba9b5fcf75611b39fe30145191db07240d9
Opcode Fuzzy Hash: 1e19d70b4451fdc3c46a59fac8f5fe4f09b289b5bb0aa25763ed6e0e3998dfbf
Instruction Fuzzy Hash: 50D13730D2075ACACB10EBA8D990AEDB771FF95200F61CB9AD14977254EB706EC5CB81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6980 Parent PID: 5764 RegSvcs.exeCOMMON

Executed Functions

Function 010A1668, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010A16A9

Memory Dump Source

Source File: 00000005.00000002.556279083.00000000010A0000.00000040.00000010.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a6ba546c5de1d34552abd18bd34ced34a243bc52732405d8fa46e35a0c01beb
Instruction ID: adc17c414d85731743c77fe76bca49b84de5d161f50a104048016645848f7c14
Opcode Fuzzy Hash: 5a6ba546c5de1d34552abd18bd34ced34a243bc52732405d8fa46e35a0c01beb
Instruction Fuzzy Hash: E4615D30A10309DBDB14EFF5D859AAEBBF2AF88304F508829D546E7394DF759842CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01306B1F, Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01306BB0
GetCurrentThread.KERNEL32 ref: 01306BED
GetCurrentProcess.KERNEL32 ref: 01306C2A
GetCurrentThreadId.KERNEL32 ref: 01306C83

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ae5b1cbec7b29af618c62a6c67dfc17ddf3cf324fc8b79411f4581fb5be8f830
Instruction ID: 2e37230ccb499bc7e2180ce124a1890625d06933ec2af1a2ffb9b2d0943ea11a
Opcode Fuzzy Hash: ae5b1cbec7b29af618c62a6c67dfc17ddf3cf324fc8b79411f4581fb5be8f830
Instruction Fuzzy Hash: 2751BAB0D017858FDB05CFA9C5487DEBFF0EF49318F20849AE049A7291CB34A849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01306B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01306BB0
GetCurrentThread.KERNEL32 ref: 01306BED
GetCurrentProcess.KERNEL32 ref: 01306C2A
GetCurrentThreadId.KERNEL32 ref: 01306C83

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 29d4c481de5dd0d23869fa2ed03e651b72bf99f4cb5ccecc23e4a6545c3efb56
Instruction ID: 1a79a67f6fb739f0b11371a1dc247622dc3a930885006a7c6da37ee6c74df885
Opcode Fuzzy Hash: 29d4c481de5dd0d23869fa2ed03e651b72bf99f4cb5ccecc23e4a6545c3efb56
Instruction Fuzzy Hash: 805154B4E007488FDB54CFA9C5487EEBBF0EB88318F208459E159A7290CB34A849CB65

Uniqueness

Uniqueness Score: -1.00%

Function 010A1D00, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 169libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010A1DBF

Strings

U, xrefs: 010A1D5D

Memory Dump Source

Source File: 00000005.00000002.556279083.00000000010A0000.00000040.00000010.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: U
API String ID: 2994545307-3372436214
Opcode ID: 7ecd454b5deb1f6250940575badd9c1e2b3d93d3c1ef9798cbe6aa2cde173838
Instruction ID: c237310adb19f8ba057a2f937ff8ccab38ded392e9f7c1592966c2051ef0db3d
Opcode Fuzzy Hash: 7ecd454b5deb1f6250940575badd9c1e2b3d93d3c1ef9798cbe6aa2cde173838
Instruction Fuzzy Hash: 8251D030A14305AFDB05EFB4C858AAE77F5AF84304F14896AE546DB292EF30D8058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0553F750, Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

\=m, xrefs: 0553FAAC

Memory Dump Source

Source File: 00000005.00000002.558264033.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID:
String ID: \=m
API String ID: 0-2977325045
Opcode ID: 31fcea8bde2dfaa70abf3216cb26dff6736cec4844dbe7c2b13c6155595508ce
Instruction ID: d34537e4c09b17be390460feaf3f893bc3700d1f5efb13092693799587de9072
Opcode Fuzzy Hash: 31fcea8bde2dfaa70abf3216cb26dff6736cec4844dbe7c2b13c6155595508ce
Instruction Fuzzy Hash: 87E16035F002049FDB54DBA8C895BADB7B6FF89310F14842AE50AEB395DE38DC468B51

Uniqueness

Uniqueness Score: -1.00%

Function 010A1D60, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010A1DBF

Memory Dump Source

Source File: 00000005.00000002.556279083.00000000010A0000.00000040.00000010.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c4542aea14b67130473605668a472a4467f3c52c4ba9e3b4cf3c1286787807a3
Instruction ID: 95e4e813f5ef1ce2ef4eaa543c2d05443a580fe075c1405d29079148e438a575
Opcode Fuzzy Hash: c4542aea14b67130473605668a472a4467f3c52c4ba9e3b4cf3c1286787807a3
Instruction Fuzzy Hash: 6D519231B102059BCB04EFB4C855AAEB7F5FF84304F148A6AE5469B391EF34DD058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 010AC9C8, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.556279083.00000000010A0000.00000040.00000010.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f97487d7ba8d03f5e22263916fdb1b0a34cfa8983ff58fd66223ef0d2b463f9
Instruction ID: c089c57b06d16a2c0ea8cd0efdc4c5ceee9cf3f5fc0ce071eb2124a85a939241
Opcode Fuzzy Hash: 8f97487d7ba8d03f5e22263916fdb1b0a34cfa8983ff58fd66223ef0d2b463f9
Instruction Fuzzy Hash: BA412572E047498FDB04DFB9C8046EEBBF4AF89310F1986AAD444E7241DB749845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01305184, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013052A2

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a43bc6847e8c4c8c3f5c82891e02a609371e7563678f96db2622cc86f65e3d69
Instruction ID: 909a3651e74709a3fe2dae00c902b73d35361e8be405e82551d9e518dfd3881c
Opcode Fuzzy Hash: a43bc6847e8c4c8c3f5c82891e02a609371e7563678f96db2622cc86f65e3d69
Instruction Fuzzy Hash: 9A51DEB1D003099FDB15CFA9C894ADEBBB5BF58314F24812AE818AB250D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01305190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013052A2

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e5d1faece05c47dd0bb9817c57e9c98035a5b4b4b611c6f9facfdef7e08135d0
Instruction ID: 7863667a0c60e3990d10e8b591b007ef5c7c4222b6f29789e9294cd732236aac
Opcode Fuzzy Hash: e5d1faece05c47dd0bb9817c57e9c98035a5b4b4b611c6f9facfdef7e08135d0
Instruction Fuzzy Hash: 6C41BEB1D10309DFDB15CFA9C894ADEBBF5BF48314F24852AE819AB250D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01306964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 01307D09

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ac4ca53f34510f5772cea93971df5e39ca5c3cf59865b1820ac0e15c3488e187
Instruction ID: c8e7bae9d5c9526983c26e221df4dd2cd0f275f7084ff397b5473c2702cb7e94
Opcode Fuzzy Hash: ac4ca53f34510f5772cea93971df5e39ca5c3cf59865b1820ac0e15c3488e187
Instruction Fuzzy Hash: 41414BB5A00309CFDB15CF99C488AAABBF5FF88318F258459D459AB361D734A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010A1608, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010A16A9

Memory Dump Source

Source File: 00000005.00000002.556279083.00000000010A0000.00000040.00000010.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b40c25076f6b5a751c8da98e52387ce4d7e4ec4b37a487b88606d775692a2676
Instruction ID: 0b71d3dddbe4ae9a54a80acfafcbbf17a14af97ca8435412f0e5879b883e3e64
Opcode Fuzzy Hash: b40c25076f6b5a751c8da98e52387ce4d7e4ec4b37a487b88606d775692a2676
Instruction Fuzzy Hash: DE31F230E04348DFCB02DBB8D848AEDBBF1BF49304F1584AAD545EB2A6E7359846CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0553F740, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

\=m, xrefs: 0553FAAC

Memory Dump Source

Source File: 00000005.00000002.558264033.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID:
String ID: \=m
API String ID: 0-2977325045
Opcode ID: 253846ba8e51391511f914abe52eaf989de98788e23113cf5956c537921177cc
Instruction ID: 689361d89ba661e0fde746c7c198e745cd9485163454a25dac9e9bb52dda0553
Opcode Fuzzy Hash: 253846ba8e51391511f914abe52eaf989de98788e23113cf5956c537921177cc
Instruction Fuzzy Hash: 63C15C75F002059FDB54DBA8D4A5BADB7B2FF89310F148429E50AEB394EB38DC428B51

Uniqueness

Uniqueness Score: -1.00%

Function 01306D72, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01306DFF

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a4efed53310f5d4457c429ba254b44b3a37a0df659d8e1f4755d0633f0425d50
Instruction ID: 2bfd895e90558290f2c73077d1dc2d06762da1a08ba317e76d5abcc233b88887
Opcode Fuzzy Hash: a4efed53310f5d4457c429ba254b44b3a37a0df659d8e1f4755d0633f0425d50
Instruction Fuzzy Hash: BB21E2B5900248DFDB10CFA9D984AEEBFF8EB48324F14841AE958A7350D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01306D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01306DFF

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 100a8fdebe5d3456bb16918dba1247d15bb12beea52264b4bf6bcd1399b88b18
Instruction ID: 078ee87860536b056e772c34dc689d6cfb9ccac2245332a097b0a758fe2dd1b0
Opcode Fuzzy Hash: 100a8fdebe5d3456bb16918dba1247d15bb12beea52264b4bf6bcd1399b88b18
Instruction Fuzzy Hash: F621C4B5900308DFDB10CFA9D984ADEFBF8EB48324F14841AE954A7350D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01302F30, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01304216

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a8ec082acfa03b24f7e5ccb31d2a768d3ea2a3e4d92a590a2d191ae51efce82f
Instruction ID: 1b3678c57e91156b91f20d0021ad6cafd267ae092a0111dddf90c0b44c837e09
Opcode Fuzzy Hash: a8ec082acfa03b24f7e5ccb31d2a768d3ea2a3e4d92a590a2d191ae51efce82f
Instruction Fuzzy Hash: F32156B59043488FCB11DFAAD444AEEFBF8EF49228F14846AC955A7611C334A646CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130BDF8, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0130BE82

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: e6a6007147ffb83d6f214b7b8c794e40aa6d366b55b670d9642c5aadb10ab789
Instruction ID: f2d1a1590f52e24be6484f23fdbcde46ead1910a12e5774bec1e92253dbb9e32
Opcode Fuzzy Hash: e6a6007147ffb83d6f214b7b8c794e40aa6d366b55b670d9642c5aadb10ab789
Instruction Fuzzy Hash: 4821CD75D01349CFDB21DFA9D44839AFBF0EB04318F24885AD549B3641C738A809CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010AB518, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,010ACA1A), ref: 010ACB07

Memory Dump Source

Source File: 00000005.00000002.556279083.00000000010A0000.00000040.00000010.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c7f9a87ed963e38a7e1c1679164f67f57d8ae96a3d012bc879c638901d390278
Instruction ID: ca1585a35b9b307550ab638dad0de2d6639fc2a09f953864c38d581d62bf059f
Opcode Fuzzy Hash: c7f9a87ed963e38a7e1c1679164f67f57d8ae96a3d012bc879c638901d390278
Instruction Fuzzy Hash: E11144B1D00619DFDB10CFAAC444BEEFBF8AB48224F55816AE814B7200D378A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 010ACA98, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,010ACA1A), ref: 010ACB07

Memory Dump Source

Source File: 00000005.00000002.556279083.00000000010A0000.00000040.00000010.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3b5a78cc6237e76bb1d7edba36f18d785b1941c166c031b48f1f89b833315ac0
Instruction ID: 40a0a401d72bf5f07e7b21de67ef9ae630d93b86714e922cbe9c5564c25187a5
Opcode Fuzzy Hash: 3b5a78cc6237e76bb1d7edba36f18d785b1941c166c031b48f1f89b833315ac0
Instruction Fuzzy Hash: AE1147B1C00619CFDB00CF99C9487EEFBF4AF08224F15866AD424B7240D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130BE08, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0130BE82

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: c90596e500d23859fd3393057eb9bcba52a1fe9d61505ec68245490460a594c7
Instruction ID: 8199d04cbca7703cf9060ff5cd459de8e1cfb8dbd103111910107a46ecbdc3ee
Opcode Fuzzy Hash: c90596e500d23859fd3393057eb9bcba52a1fe9d61505ec68245490460a594c7
Instruction Fuzzy Hash: 4A116D75D013098FDB60DFAAD54879EFBF4EB48318F24882AD509A3641C739A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013041AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01304216

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ef5dd64a8bc18f8e174de482fd05108d0752d66d3a7e2b9780e901ce94a54de7
Instruction ID: a265aee60108a4e1b2efff524700045fbae10a116a94a4f3d437787cdcee247c
Opcode Fuzzy Hash: ef5dd64a8bc18f8e174de482fd05108d0752d66d3a7e2b9780e901ce94a54de7
Instruction Fuzzy Hash: 701134B5D003098FCB10CF9AC444ADEFBF8EB88214F10841AD528B7210C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01302F44, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01304216

Memory Dump Source

Source File: 00000005.00000002.556397461.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7e7cdbb8ad42ed214dad5c660fe05a2f1289a6cff5f7187b08b27824ff1b704d
Instruction ID: ab505285663da274c7c476111938aec4f7d5060879400d40267793635c4a10e6
Opcode Fuzzy Hash: 7e7cdbb8ad42ed214dad5c660fe05a2f1289a6cff5f7187b08b27824ff1b704d
Instruction Fuzzy Hash: 041123B5D007498BDB10DF9AD444BDEFBF8EB48214F10842AD929B7210C374A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0553CC44, Relevance: .9, Instructions: 936COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.558264033.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603b6e4ba58f9c8f96b808fc12584393b29434d832d2371f4bc55f8477d224fc
Instruction ID: 784677049eedc9ed2c9d42a6a677ff2c6dc97710c184dee3a7d13e3b25407a32
Opcode Fuzzy Hash: 603b6e4ba58f9c8f96b808fc12584393b29434d832d2371f4bc55f8477d224fc
Instruction Fuzzy Hash: 77A2F774A05228CFCB65DF60D8987ADB7B6BF48305F1085EADA09A3354CB349E81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.555606556.0000000000D8D000.00000040.00000001.sdmp, Offset: 00D8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33628d7251234d4e6773433d3f7819e3cf4afe61624edf8edbae689ca4dcace
Instruction ID: 359044220cad5233521c542dd4852fd5c71a5472b2ef33a4d1b11c9a4250c1da
Opcode Fuzzy Hash: e33628d7251234d4e6773433d3f7819e3cf4afe61624edf8edbae689ca4dcace
Instruction Fuzzy Hash: 7121F471504240DFDB15EF14D8C0B27BB66FB84324F2485A9D8450A2CAC336E856C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.555606556.0000000000D8D000.00000040.00000001.sdmp, Offset: 00D8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9a032db8d9dff694b983c7aef16a814032ea8a1d703b1396dc25b6541144c0
Instruction ID: bb30a7eff1a0a50107bddcc79fbd77e96f9301a18bb59fbba19e45ba42c4a37f
Opcode Fuzzy Hash: eb9a032db8d9dff694b983c7aef16a814032ea8a1d703b1396dc25b6541144c0
Instruction Fuzzy Hash: AC210671500244EFCB05EF10D8C0B26BF66FB94328F2485AAE8494B2C6C336D856C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.555639597.0000000000D9D000.00000040.00000001.sdmp, Offset: 00D9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b691a3c892cbb147d0b2767bf4a86fafc0d7232c24927a3feb5b5383446435d1
Instruction ID: 308f770e5d27e1a6cc8b02674f9525d5090f4d33d7e40a148b125c263befb3a9
Opcode Fuzzy Hash: b691a3c892cbb147d0b2767bf4a86fafc0d7232c24927a3feb5b5383446435d1
Instruction Fuzzy Hash: 5121CF75604240DFDF14DF64D8C4B26BBA6EB84714F24C969E84E4B246C33AD846CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.555639597.0000000000D9D000.00000040.00000001.sdmp, Offset: 00D9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e906862a0d2c41cbb6d2c6439323a7042801731400863419a37ac216eb1bffec
Instruction ID: 4d234bc0ef7a006b4a96b7e5734f8c8124420b0178d657a609e506416b243626
Opcode Fuzzy Hash: e906862a0d2c41cbb6d2c6439323a7042801731400863419a37ac216eb1bffec
Instruction Fuzzy Hash: E22192755093C08FCB12CF24D990715BF71EB46314F28C5EAD8498F697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0553FB90, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.558264033.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d7fc0b91cd52d1e07763405ad86b569bee940caf870ee50cb44b86d1e13498
Instruction ID: 7587acf5955f278596047442ab4be21220bc50b5b9b2cdc6e040cce249d7552f
Opcode Fuzzy Hash: 39d7fc0b91cd52d1e07763405ad86b569bee940caf870ee50cb44b86d1e13498
Instruction Fuzzy Hash: BA01D6327081481BC70516B99C656EBBBAFEFCA210F14487AE54DC7285DE2CCC1B47B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.555606556.0000000000D8D000.00000040.00000001.sdmp, Offset: 00D8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
Instruction ID: d50789595178f91ebcad1165f190c86105883dc2a532f22940afab2bbdf32663
Opcode Fuzzy Hash: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
Instruction Fuzzy Hash: B611D676504280CFCF11DF14D5C4B16BF72FB95324F28C5AAD8050B69AC336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.555606556.0000000000D8D000.00000040.00000001.sdmp, Offset: 00D8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
Instruction ID: 813e16a64d5f0ddeaccd856b59b9bca7e1472ad7168e73ddb24186083df16a33
Opcode Fuzzy Hash: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
Instruction Fuzzy Hash: D211E676504284CFCF12DF10D5C4B16BF72FB94324F28C6AAD8094B696C336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: kprUEGC.exe PID: 7164 Parent PID: 3352 kprUEGC.exeCOMMON

Executed Functions

Function 02C1175B, Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

$,Bm, xrefs: 02C1176D

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID: $,Bm
API String ID: 0-3457116307
Opcode ID: f2103b04083cf9f25c894a9c5807041e15155cf03af73a5cbb5bdc7a0915e1bb
Instruction ID: 3ce1e980433b1c86b278ae3029c2bec3bab28b768510f6e960e71a3067282dd5
Opcode Fuzzy Hash: f2103b04083cf9f25c894a9c5807041e15155cf03af73a5cbb5bdc7a0915e1bb
Instruction Fuzzy Hash: 6FE07D36E006184FCB29BBB0E2107AE22DA8FC1A04F040A2CC10AEB354CF744D4447D2

Uniqueness

Uniqueness Score: -1.00%

Function 02C10F38, Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb420452bacdbeca7907349140b3ed6afe7228be20b606682f4546814511180
Instruction ID: d1d25c1979b2402e65f2ab464b68641e2a846c836cd6abd1bd9ab8551e452322
Opcode Fuzzy Hash: 1eb420452bacdbeca7907349140b3ed6afe7228be20b606682f4546814511180
Instruction Fuzzy Hash: 81225C31B403018FDB18EF65E49166A73B6FBC9349B24892CC64687398DF75ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C108EB, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05052a98cc69587607463c49505aa1b31eb22bfca43592b4d80d44f9bc04b69c
Instruction ID: 386e68644c89ad8e33676214a2882fc0710ed0846425f19eade00dc960002395
Opcode Fuzzy Hash: 05052a98cc69587607463c49505aa1b31eb22bfca43592b4d80d44f9bc04b69c
Instruction Fuzzy Hash: 0471CF35A003448FDB299FA1D41869EBBF2EF89304F15C929D842673A8DF31EC96DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02C10E31, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f2a7c1c16c992dcb61f34b613bafbdf551aa16b59023c50b339e43d623474e
Instruction ID: 8219b19ebf86d0ee6515c59db162500b0b8b6c16fde6119c7a1f875fb7185425
Opcode Fuzzy Hash: 62f2a7c1c16c992dcb61f34b613bafbdf551aa16b59023c50b339e43d623474e
Instruction Fuzzy Hash: B8315575B442108FC709AB78C46892D37E2EF8A61931648ADE542CF3B5DB32DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C10E40, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd29d7e7b027d79e906ecf1612477ce3efa305441a98eac42b9eccefc3e7e06
Instruction ID: e5d4fd08e63b36bd5bffac490481e922eb6bfa2b57f0126a43d10f9c49755e46
Opcode Fuzzy Hash: bbd29d7e7b027d79e906ecf1612477ce3efa305441a98eac42b9eccefc3e7e06
Instruction Fuzzy Hash: 592103757406108FC758AB78D45892D33E6EF8961931248B9E546CF3B5DF32EC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C117F8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cd7c29c9c57c57682fdb7b8a0a1cc99ba2f427c70d2b7eef448b50ef42c31c
Instruction ID: 42b8d04db28c3eb3fbb33df49577035fce1bfc24abf1e7713436b6b2885e0b8a
Opcode Fuzzy Hash: d1cd7c29c9c57c57682fdb7b8a0a1cc99ba2f427c70d2b7eef448b50ef42c31c
Instruction Fuzzy Hash: 9811C476E003098FCB00DFB4D944D9EBBB1FF89300B15866AD519A7221E7309914CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02C11808, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1655b24d666c71b9e9e13aef4bfaf95828a3e162499a32abcba9b56524f2dc5a
Instruction ID: 88d36f447705b6dc414a46abb58ebf0b679f333ac93024799630d34b6b3b3ad9
Opcode Fuzzy Hash: 1655b24d666c71b9e9e13aef4bfaf95828a3e162499a32abcba9b56524f2dc5a
Instruction Fuzzy Hash: 1F01B536E002099FCB40EFB4D840C9EF7F5FF89300711866AE61897320EB71A915CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02C10B9C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8b28688a34c22ef3cecb383c0184ca6e073a3e83c7ca6a0bd94366dd4586d3
Instruction ID: 5022d53905b65c32d028cd84fc6570bc3692c47ef31812bfd09e293b54659c35
Opcode Fuzzy Hash: fc8b28688a34c22ef3cecb383c0184ca6e073a3e83c7ca6a0bd94366dd4586d3
Instruction Fuzzy Hash: EBF08C30A40304CFDB14EBA0C04A7AD7BB0AB49318F150858C442A7290CF759D80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02C116D8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e352875d9091c0a3c48991c3ed8d0444f487b44de6c4432dd57239624d25298
Instruction ID: 5471994aa73ce78b533b79836cd5b4b3a2839baa994f787e394325490c523e7f
Opcode Fuzzy Hash: 1e352875d9091c0a3c48991c3ed8d0444f487b44de6c4432dd57239624d25298
Instruction Fuzzy Hash: 3DD01736B402149FC714EB69E909A867BA8AF4AA51F1040A5EA08CB394DF62E914CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02C104A3, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f02ed01b1e47040412fb2cbaa57f0da37e5babc89ca7ba64cc8a456541c34ee
Instruction ID: f932cb79dcff0658646a605300a31c3b3e8c1038f2b9615e1ead80e66e67d387
Opcode Fuzzy Hash: 6f02ed01b1e47040412fb2cbaa57f0da37e5babc89ca7ba64cc8a456541c34ee
Instruction Fuzzy Hash: A7D0EC71D00219DF8B50DBB996051DE7BF4AE08250B004566DD19E3200E6308B15CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02C104A8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.369839138.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2340d97dc2bc39c51a148be895c9c3030986342bea33f4e36eb84f4b467e11
Instruction ID: 7fd440656fb897459d4dd040b348bca7b5e5131d4c9c870a2d85c3975027948b
Opcode Fuzzy Hash: 6e2340d97dc2bc39c51a148be895c9c3030986342bea33f4e36eb84f4b467e11
Instruction Fuzzy Hash: 0CD067B1D04229AF8B50EFB999061EEBBF8EA09250B1045A6D919E3200E6709A11CBD1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: kprUEGC.exe PID: 3932 Parent PID: 3352 kprUEGC.exeCOMMON

Executed Functions

Function 010216D8, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

$,Bm, xrefs: 0102176D

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID: $,Bm
API String ID: 0-3457116307
Opcode ID: d618f9a5982db56386277d651becb18f9b266e3826bea7f75f28faf882d11024
Instruction ID: 89126bbe7275440bfc3a45207563bc7b0fe30ff4ce548ba6513e652d3672217e
Opcode Fuzzy Hash: d618f9a5982db56386277d651becb18f9b266e3826bea7f75f28faf882d11024
Instruction Fuzzy Hash: 0211E274B401085FCB18EBF5E4517AD7BF9DFC4204F108568D609AB395DF309D0A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 01020728, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e6eea42938cb8b7e2e98dedbb0042f428c9a50189123ea3ebaeca4ad1f3069
Instruction ID: 1ccc502a36b092f599ead9ee60352c2eb8d451fe41d00942c89cb6c2fa260283
Opcode Fuzzy Hash: 43e6eea42938cb8b7e2e98dedbb0042f428c9a50189123ea3ebaeca4ad1f3069
Instruction Fuzzy Hash: 74318B71A043508FDB16DBA5D8182ED7FF2EF44310F0584AAD1826B2A5DB709DC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010208F0, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c382909dd8a0ca3f7509bcbbd6ff886f78d0b8b61b51409a627fe0b5845a2ae
Instruction ID: 1ea806197d23ab539339fc40e4f830ce51b9a8561145a5a0aaf72249886a568c
Opcode Fuzzy Hash: 9c382909dd8a0ca3f7509bcbbd6ff886f78d0b8b61b51409a627fe0b5845a2ae
Instruction Fuzzy Hash: 0971C175A003158FDB29DFA5C4086ADBBF3EF88314F15C569E58A672A8DF31AC85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01020E31, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e50bff74ba9fd61c6e07018647ebe303d19f5a6b1e469716dcebcd3f7a976a5
Instruction ID: 1a7da84c63f4397986e563d78cc81c48bb03d367c7db90c53be80dfe7f05ebd7
Opcode Fuzzy Hash: 2e50bff74ba9fd61c6e07018647ebe303d19f5a6b1e469716dcebcd3f7a976a5
Instruction Fuzzy Hash: 102128B57406108FC758AB78D45892D33E5EF8961931248B9E646CF3B5DB36DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01020E40, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663b70493c2d4bd5748606d6a0eb03a3cded7735f73a510ba48b9540003ea01d
Instruction ID: 3df8f3220ed0b291b420cffe6c00b301e0394824a870e0cf7b9f662cd75612df
Opcode Fuzzy Hash: 663b70493c2d4bd5748606d6a0eb03a3cded7735f73a510ba48b9540003ea01d
Instruction Fuzzy Hash: DF2114757406208FC798AB78D45892D33E6EF8961931248B9E646CF3B5DF32EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01021808, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517c77d01fef640288e8d513ab1f05a4e24c9b5ea15f842a03a3ad8ab29e6d19
Instruction ID: 634fd551b3a14876c6a74dbbbdeaeb5c2ac11e2711279eeff4c8f28014e31f9c
Opcode Fuzzy Hash: 517c77d01fef640288e8d513ab1f05a4e24c9b5ea15f842a03a3ad8ab29e6d19
Instruction Fuzzy Hash: 8501757AE002099FCB40EFB5D844DEEF7F5FF8D2107118666E51597225E771A911CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01020B9C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b44bc375b33deac2b21705ba3ce9af6262a23dddc5dd2004afff2dd99f8e6c7a
Instruction ID: 61007cbc466f5dc3c11808c09ee39040a0ac2c1a7ac78d0c31852a74fef67931
Opcode Fuzzy Hash: b44bc375b33deac2b21705ba3ce9af6262a23dddc5dd2004afff2dd99f8e6c7a
Instruction Fuzzy Hash: 21F01C71A053158FEB14EFA5C0597AD7BF0AB08318F150899E182AB2A5DB749D84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01020498, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca8ca4652ce3dd5d14c3754fea87b8ca1d96bf46e33280075236d84a7bdb5d3
Instruction ID: 680c25d6b6fd0eca29cb80568f2ff800c2cfb9cb61d7a75c5e250d0e8455941a
Opcode Fuzzy Hash: 1ca8ca4652ce3dd5d14c3754fea87b8ca1d96bf46e33280075236d84a7bdb5d3
Instruction Fuzzy Hash: 2DE04FF2C00219AF8B50DBB969052EEBFF4EA09210F1140B5DA9EE7200E7304A468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 010204A8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.386091942.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7419a4e7079439cb72277af0a438f375bad623e75e53c3fb77513eb1054a65b
Instruction ID: f854b6482c3ea11597afb498ed9842366b1ec268c6cc9c0e9b99d33e7da5e34c
Opcode Fuzzy Hash: c7419a4e7079439cb72277af0a438f375bad623e75e53c3fb77513eb1054a65b
Instruction Fuzzy Hash: F1D067B1D00229AF8B40EFB9A9051DEBBF8EA08250B1045A6D959E7214E7705A148BD1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Euro invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre