Edit tour

Windows Analysis Report
offer_doc.exe

Overview

General Information

Sample Name:	offer_doc.exe
Analysis ID:	680343
MD5:	915026107719604ff39f95cd37c6da08
SHA1:	7708c1a71b95b019ff7d02e295938b342f2bdfb7
SHA256:	f6d4110e70ad9d1525395ad0f693bb5132d7684c989bc2e6ab2e4b12a22223f0
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

offer_doc.exe (PID: 5428 cmdline: "C:\Users\user\Desktop\offer_doc.exe" MD5: 915026107719604FF39F95CD37C6DA08)

offer_doc.exe (PID: 4516 cmdline: C:\Users\user\Desktop\offer_doc.exe MD5: 915026107719604FF39F95CD37C6DA08)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@rwan.asia", "Password": "RWAN802754", "Host": "mail.rwan.asia"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3009d:$a13: get_DnsResolver 0x2e8b2:$a20: get_LastAccessed 0x30a1b:$a27: set_InternalServerPort 0x30d37:$a30: set_GuidMasterKey 0x2e9b9:$a33: get_Clipboard 0x2e9c7:$a34: get_Keyboard 0x2fcd0:$a35: get_ShiftKeyDown 0x2fce1:$a36: get_AltKeyDown 0x2e9d4:$a37: get_Password 0x2f480:$a38: get_PasswordHash 0x3049d:$a39: get_DefaultCredentials
00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x8004:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x67425:$a13: get_DnsResolver 0x9ba45:$a13: get_DnsResolver 0xcfe65:$a13: get_DnsResolver 0x65c3a:$a20: get_LastAccessed 0x9a25a:$a20: get_LastAccessed 0xce67a:$a20: get_LastAccessed 0x67da3:$a27: set_InternalServerPort 0x9c3c3:$a27: set_InternalServerPort 0xd07e3:$a27: set_InternalServerPort 0x680bf:$a30: set_GuidMasterKey 0x9c6df:$a30: set_GuidMasterKey 0xd0aff:$a30: set_GuidMasterKey 0x65d41:$a33: get_Clipboard 0x9a361:$a33: get_Clipboard 0xce781:$a33: get_Clipboard 0x65d4f:$a34: get_Keyboard 0x9a36f:$a34: get_Keyboard 0xce78f:$a34: get_Keyboard 0x67058:$a35: get_ShiftKeyDown 0x9b678:$a35: get_ShiftKeyDown 0xcfa98:$a35: get_ShiftKeyDown
00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x3f38c:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x739ac:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0xa7dcc:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: offer_doc.exe PID: 5428	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: offer_doc.exe PID: 5428	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: offer_doc.exe PID: 5428	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x9889d:$a13: get_DnsResolver 0x97312:$a20: get_LastAccessed 0x991ca:$a27: set_InternalServerPort 0x99426:$a30: set_GuidMasterKey 0x97405:$a33: get_Clipboard 0x97413:$a34: get_Keyboard 0x9856f:$a35: get_ShiftKeyDown 0x98580:$a36: get_AltKeyDown 0x97420:$a37: get_Password 0x97e28:$a38: get_PasswordHash 0x98c71:$a39: get_DefaultCredentials
Process Memory Space: offer_doc.exe PID: 4516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: offer_doc.exe PID: 4516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: offer_doc.exe PID: 4516	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x38d6e:$a13: get_DnsResolver 0x377e3:$a20: get_LastAccessed 0x3969b:$a27: set_InternalServerPort 0x398f7:$a30: set_GuidMasterKey 0x378d6:$a33: get_Clipboard 0x378e4:$a34: get_Keyboard 0x38a40:$a35: get_ShiftKeyDown 0x38a51:$a36: get_AltKeyDown 0x378f1:$a37: get_Password 0x382f9:$a38: get_PasswordHash 0x39142:$a39: get_DefaultCredentials
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.offer_doc.exe.3bd37a8.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3bd37a8.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3bd37a8.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d4f:$s10: logins 0x307b6:$s11: credential 0x2cdb9:$g1: get_Clipboard 0x2cdc7:$g2: get_Keyboard 0x2cdd4:$g3: get_Password 0x2e0c0:$g4: get_CtrlKeyDown 0x2e0d0:$g5: get_ShiftKeyDown 0x2e0e1:$g6: get_AltKeyDown
0.2.offer_doc.exe.3bd37a8.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e49d:$a13: get_DnsResolver 0x2ccb2:$a20: get_LastAccessed 0x2ee1b:$a27: set_InternalServerPort 0x2f137:$a30: set_GuidMasterKey 0x2cdb9:$a33: get_Clipboard 0x2cdc7:$a34: get_Keyboard 0x2e0d0:$a35: get_ShiftKeyDown 0x2e0e1:$a36: get_AltKeyDown 0x2cdd4:$a37: get_Password 0x2d880:$a38: get_PasswordHash 0x2e89d:$a39: get_DefaultCredentials
0.2.offer_doc.exe.3bd37a8.7.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x6404:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
3.0.offer_doc.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.offer_doc.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.offer_doc.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b4f:$s10: logins 0x325b6:$s11: credential 0x2ebb9:$g1: get_Clipboard 0x2ebc7:$g2: get_Keyboard 0x2ebd4:$g3: get_Password 0x2fec0:$g4: get_CtrlKeyDown 0x2fed0:$g5: get_ShiftKeyDown 0x2fee1:$g6: get_AltKeyDown
3.0.offer_doc.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3029d:$a13: get_DnsResolver 0x2eab2:$a20: get_LastAccessed 0x30c1b:$a27: set_InternalServerPort 0x30f37:$a30: set_GuidMasterKey 0x2ebb9:$a33: get_Clipboard 0x2ebc7:$a34: get_Keyboard 0x2fed0:$a35: get_ShiftKeyDown 0x2fee1:$a36: get_AltKeyDown 0x2ebd4:$a37: get_Password 0x2f680:$a38: get_PasswordHash 0x3069d:$a39: get_DefaultCredentials
3.0.offer_doc.exe.400000.0.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x8204:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
0.2.offer_doc.exe.3b9f188.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b9f188.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b9f188.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d4f:$s10: logins 0x307b6:$s11: credential 0x2cdb9:$g1: get_Clipboard 0x2cdc7:$g2: get_Keyboard 0x2cdd4:$g3: get_Password 0x2e0c0:$g4: get_CtrlKeyDown 0x2e0d0:$g5: get_ShiftKeyDown 0x2e0e1:$g6: get_AltKeyDown
0.2.offer_doc.exe.3b9f188.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e49d:$a13: get_DnsResolver 0x2ccb2:$a20: get_LastAccessed 0x2ee1b:$a27: set_InternalServerPort 0x2f137:$a30: set_GuidMasterKey 0x2cdb9:$a33: get_Clipboard 0x2cdc7:$a34: get_Keyboard 0x2e0d0:$a35: get_ShiftKeyDown 0x2e0e1:$a36: get_AltKeyDown 0x2cdd4:$a37: get_Password 0x2d880:$a38: get_PasswordHash 0x2e89d:$a39: get_DefaultCredentials
0.2.offer_doc.exe.3b9f188.6.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x6404:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b4f:$s10: logins 0x66f6f:$s10: logins 0x325b6:$s11: credential 0x669d6:$s11: credential 0x2ebb9:$g1: get_Clipboard 0x62fd9:$g1: get_Clipboard 0x2ebc7:$g2: get_Keyboard 0x62fe7:$g2: get_Keyboard 0x2ebd4:$g3: get_Password 0x62ff4:$g3: get_Password 0x2fec0:$g4: get_CtrlKeyDown 0x642e0:$g4: get_CtrlKeyDown 0x2fed0:$g5: get_ShiftKeyDown 0x642f0:$g5: get_ShiftKeyDown 0x2fee1:$g6: get_AltKeyDown 0x64301:$g6: get_AltKeyDown
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9c00f:$s1: file:/// 0x10fe2f:$s1: file:/// 0x9bf1f:$s2: {11111-22222-10009-11112} 0x10fd3f:$s2: {11111-22222-10009-11112} 0x9bf9f:$s3: {11111-22222-50001-00000} 0x10fdbf:$s3: {11111-22222-50001-00000} 0x992a3:$s4: get_Module 0x10d0c3:$s4: get_Module 0x2f122:$s5: Reverse 0x63542:$s5: Reverse 0x9971c:$s5: Reverse 0x10d53c:$s5: Reverse 0x30fd9:$s6: BlockCopy 0x653f9:$s6: BlockCopy 0x9b6e1:$s6: BlockCopy 0x10f501:$s6: BlockCopy 0x2f3c3:$s7: ReadByte 0x637e3:$s7: ReadByte 0x9c021:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x10fe41:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3029d:$a13: get_DnsResolver 0x646bd:$a13: get_DnsResolver 0x2eab2:$a20: get_LastAccessed 0x62ed2:$a20: get_LastAccessed 0x30c1b:$a27: set_InternalServerPort 0x6503b:$a27: set_InternalServerPort 0x30f37:$a30: set_GuidMasterKey 0x65357:$a30: set_GuidMasterKey 0x2ebb9:$a33: get_Clipboard 0x62fd9:$a33: get_Clipboard 0x2ebc7:$a34: get_Keyboard 0x62fe7:$a34: get_Keyboard 0x2fed0:$a35: get_ShiftKeyDown 0x642f0:$a35: get_ShiftKeyDown 0x2fee1:$a36: get_AltKeyDown 0x64301:$a36: get_AltKeyDown 0x2ebd4:$a37: get_Password 0x62ff4:$a37: get_Password 0x2f680:$a38: get_PasswordHash 0x63aa0:$a38: get_PasswordHash 0x3069d:$a39: get_DefaultCredentials
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x8204:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x3c624:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
0.2.offer_doc.exe.3b9f188.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b9f188.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b9f188.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b4f:$s10: logins 0x6716f:$s10: logins 0x9b58f:$s10: logins 0x325b6:$s11: credential 0x66bd6:$s11: credential 0x9aff6:$s11: credential 0x2ebb9:$g1: get_Clipboard 0x631d9:$g1: get_Clipboard 0x975f9:$g1: get_Clipboard 0x2ebc7:$g2: get_Keyboard 0x631e7:$g2: get_Keyboard 0x97607:$g2: get_Keyboard 0x2ebd4:$g3: get_Password 0x631f4:$g3: get_Password 0x97614:$g3: get_Password 0x2fec0:$g4: get_CtrlKeyDown 0x644e0:$g4: get_CtrlKeyDown 0x98900:$g4: get_CtrlKeyDown 0x2fed0:$g5: get_ShiftKeyDown 0x644f0:$g5: get_ShiftKeyDown 0x98910:$g5: get_ShiftKeyDown
0.2.offer_doc.exe.3b9f188.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd062f:$s1: file:/// 0x14444f:$s1: file:/// 0xd053f:$s2: {11111-22222-10009-11112} 0x14435f:$s2: {11111-22222-10009-11112} 0xd05bf:$s3: {11111-22222-50001-00000} 0x1443df:$s3: {11111-22222-50001-00000} 0xcd8c3:$s4: get_Module 0x1416e3:$s4: get_Module 0x2f122:$s5: Reverse 0x63742:$s5: Reverse 0x97b62:$s5: Reverse 0xcdd3c:$s5: Reverse 0x141b5c:$s5: Reverse 0x30fd9:$s6: BlockCopy 0x655f9:$s6: BlockCopy 0x99a19:$s6: BlockCopy 0xcfd01:$s6: BlockCopy 0x143b21:$s6: BlockCopy 0x2f3c3:$s7: ReadByte 0x639e3:$s7: ReadByte 0x97e03:$s7: ReadByte
0.2.offer_doc.exe.3b9f188.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3029d:$a13: get_DnsResolver 0x648bd:$a13: get_DnsResolver 0x98cdd:$a13: get_DnsResolver 0x2eab2:$a20: get_LastAccessed 0x630d2:$a20: get_LastAccessed 0x974f2:$a20: get_LastAccessed 0x30c1b:$a27: set_InternalServerPort 0x6523b:$a27: set_InternalServerPort 0x9965b:$a27: set_InternalServerPort 0x30f37:$a30: set_GuidMasterKey 0x65557:$a30: set_GuidMasterKey 0x99977:$a30: set_GuidMasterKey 0x2ebb9:$a33: get_Clipboard 0x631d9:$a33: get_Clipboard 0x975f9:$a33: get_Clipboard 0x2ebc7:$a34: get_Keyboard 0x631e7:$a34: get_Keyboard 0x97607:$a34: get_Keyboard 0x2fed0:$a35: get_ShiftKeyDown 0x644f0:$a35: get_ShiftKeyDown 0x98910:$a35: get_ShiftKeyDown
0.2.offer_doc.exe.3b9f188.6.raw.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x8204:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x3c824:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x70c44:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
0.2.offer_doc.exe.3b68d68.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b68d68.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b68d68.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x68f6f:$s10: logins 0x9d58f:$s10: logins 0xd19af:$s10: logins 0x689d6:$s11: credential 0x9cff6:$s11: credential 0xd1416:$s11: credential 0x64fd9:$g1: get_Clipboard 0x995f9:$g1: get_Clipboard 0xcda19:$g1: get_Clipboard 0x64fe7:$g2: get_Keyboard 0x99607:$g2: get_Keyboard 0xcda27:$g2: get_Keyboard 0x64ff4:$g3: get_Password 0x99614:$g3: get_Password 0xcda34:$g3: get_Password 0x662e0:$g4: get_CtrlKeyDown 0x9a900:$g4: get_CtrlKeyDown 0xced20:$g4: get_CtrlKeyDown 0x662f0:$g5: get_ShiftKeyDown 0x9a910:$g5: get_ShiftKeyDown 0xced30:$g5: get_ShiftKeyDown
0.2.offer_doc.exe.3b68d68.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x106a4f:$s1: file:/// 0x17a86f:$s1: file:/// 0x10695f:$s2: {11111-22222-10009-11112} 0x17a77f:$s2: {11111-22222-10009-11112} 0x1069df:$s3: {11111-22222-50001-00000} 0x17a7ff:$s3: {11111-22222-50001-00000} 0x103ce3:$s4: get_Module 0x177b03:$s4: get_Module 0x65542:$s5: Reverse 0x99b62:$s5: Reverse 0xcdf82:$s5: Reverse 0x10415c:$s5: Reverse 0x177f7c:$s5: Reverse 0x673f9:$s6: BlockCopy 0x9ba19:$s6: BlockCopy 0xcfe39:$s6: BlockCopy 0x106121:$s6: BlockCopy 0x179f41:$s6: BlockCopy 0x657e3:$s7: ReadByte 0x99e03:$s7: ReadByte 0xce223:$s7: ReadByte
0.2.offer_doc.exe.3b68d68.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x666bd:$a13: get_DnsResolver 0x9acdd:$a13: get_DnsResolver 0xcf0fd:$a13: get_DnsResolver 0x64ed2:$a20: get_LastAccessed 0x994f2:$a20: get_LastAccessed 0xcd912:$a20: get_LastAccessed 0x6703b:$a27: set_InternalServerPort 0x9b65b:$a27: set_InternalServerPort 0xcfa7b:$a27: set_InternalServerPort 0x67357:$a30: set_GuidMasterKey 0x9b977:$a30: set_GuidMasterKey 0xcfd97:$a30: set_GuidMasterKey 0x64fd9:$a33: get_Clipboard 0x995f9:$a33: get_Clipboard 0xcda19:$a33: get_Clipboard 0x64fe7:$a34: get_Keyboard 0x99607:$a34: get_Keyboard 0xcda27:$a34: get_Keyboard 0x662f0:$a35: get_ShiftKeyDown 0x9a910:$a35: get_ShiftKeyDown 0xced30:$a35: get_ShiftKeyDown
0.2.offer_doc.exe.3b68d68.5.raw.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x3e624:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x72c44:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0xa7064:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
Click to see the 28 entries

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.5 - Destination IP: 119.59.104.27

Timestamp:	192.168.2.5119.59.104.27497195872030171 08/08/22-12:37:22.771751
SID:	2030171
Source Port:	49719
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.5 - Destination IP: 119.59.104.27

Timestamp:	192.168.2.5119.59.104.27497195872840032 08/08/22-12:37:22.771866
SID:	2840032
Source Port:	49719
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 119.59.104.27

Timestamp:	192.168.2.5119.59.104.27497195872851779 08/08/22-12:37:22.771866
SID:	2851779
Source Port:	49719
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: offer_doc.exe

ReversingLabs: Detection: 24%

Machine Learning detection for sample

Source: offer_doc.exe

Joe Sandbox ML: detected

Source: 3.0.offer_doc.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 3.0.offer_doc.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@rwan.asia", "Password": "RWAN802754", "Host": "mail.rwan.asia"}

Source: offer_doc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: offer_doc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49719 -> 119.59.104.27:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49719 -> 119.59.104.27:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49719 -> 119.59.104.27:587

Source: Joe Sandbox View

ASN Name: METRABYTE-TH453LadplacoutJorakhaebuaTH METRABYTE-TH453LadplacoutJorakhaebuaTH

Source: global traffic

TCP traffic: 192.168.2.5:49719 -> 119.59.104.27:587

Source: global traffic

TCP traffic: 192.168.2.5:49719 -> 119.59.104.27:587

Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dzByIm.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: offer_doc.exe, 00000003.00000002.678536332.00000000030EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.rwan.asia
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: offer_doc.exe, 00000000.00000002.434864485.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: offer_doc.exe, 00000003.00000002.678536332.00000000030EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hI6edvnAmdv.org
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.rwan.asia

Source: offer_doc.exe, 00000000.00000002.433866824.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: offer_doc.exe

.NET source code contains very large array initializations

Source: 3.0.offer_doc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBFEAAEE6u002d466Du002d4D0Au002d8579u002d0D52F9710340u007d/u0038E7E1D9Bu002d4103u002d4A26u002d9CEAu002d5E7F2E73DD6F.cs

Large array initialization: .cctor: array initializer size 11630

Source: offer_doc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_00BFCD04	0_2_00BFCD04
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_00BFF0D0	0_2_00BFF0D0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_06ED41D0	0_2_06ED41D0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_06ED4F28	0_2_06ED4F28
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_07105DC8	0_2_07105DC8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_07105590	0_2_07105590
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_071055A0	0_2_071055A0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_07106F9A	0_2_07106F9A
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_07106FA8	0_2_07106FA8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0140F080	3_2_0140F080
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_01406120	3_2_01406120
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0140F3C8	3_2_0140F3C8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637BFB8	3_2_0637BFB8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06378440	3_2_06378440
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637C0C4	3_2_0637C0C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063776A8	3_2_063776A8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063732A8	3_2_063732A8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066AA278	3_2_066AA278
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066AAA88	3_2_066AAA88
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A8740	3_2_066A8740
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066AF338	3_2_066AF338
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A7BC8	3_2_066A7BC8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066ABB80	3_2_066ABB80
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A38C0	3_2_066A38C0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A28D0	3_2_066A28D0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066ABB1C	3_2_066ABB1C
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066AA939	3_2_066AA939
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A8930	3_2_066A8930
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066FADE8	3_2_066FADE8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066F1AC4	3_2_066F1AC4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066F4B10	3_2_066F4B10
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637A7E8	3_2_0637A7E8

Source: offer_doc.exe, 00000000.00000002.438858978.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.452768106.0000000006EB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.433866824.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.453065620.0000000006F00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000003.423409650.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.453449981.0000000007070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000000.407180408.00000000005EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSYSTEMI.exeB vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQIPpUdJOXlzKKWqWQXrayNItXcNYucwtbWIvIC.exe4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQIPpUdJOXlzKKWqWQXrayNItXcNYucwtbWIvIC.exe4 vs offer_doc.exe
Source: offer_doc.exe, 00000003.00000000.431756265.0000000000436000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQIPpUdJOXlzKKWqWQXrayNItXcNYucwtbWIvIC.exe4 vs offer_doc.exe
Source: offer_doc.exe, 00000003.00000002.673994817.0000000000BE8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs offer_doc.exe
Source: offer_doc.exe, 00000003.00000002.674351176.000000000101A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs offer_doc.exe
Source: offer_doc.exe	Binary or memory string: OriginalFilenameSYSTEMI.exeB vs offer_doc.exe

Source: offer_doc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: offer_doc.exe

ReversingLabs: Detection: 24%

Source: offer_doc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\offer_doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\offer_doc.exe "C:\Users\user\Desktop\offer_doc.exe"
Source: C:\Users\user\Desktop\offer_doc.exe	Process created: C:\Users\user\Desktop\offer_doc.exe C:\Users\user\Desktop\offer_doc.exe
Source: C:\Users\user\Desktop\offer_doc.exe	Process created: C:\Users\user\Desktop\offer_doc.exe C:\Users\user\Desktop\offer_doc.exe	Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\offer_doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\offer_doc.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\offer_doc.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: offer_doc.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\offer_doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: offer_doc.exe, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.offer_doc.exe.520000.0.unpack, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.offer_doc.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.offer_doc.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\offer_doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: offer_doc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: offer_doc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: offer_doc.exe, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.offer_doc.exe.520000.0.unpack, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716B2 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716BA push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716A9 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637169E push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637169A push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637168E push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716F1 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716FA push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716E2 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716EA push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716D2 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716D9 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716C1 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716CA push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371732 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371739 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371721 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637172A push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371712 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637171A push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371702 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371709 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371752 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371742 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637174A push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717B2 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717B9 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717A1 push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717AE push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717AA push es; ret	3_2_063718C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371796 push es; ret	3_2_063718C4

Source: initial sample

Static PE information: section name: .text entropy: 7.788970576048009

Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: offer_doc.exe, 00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: offer_doc.exe, 00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\offer_doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\offer_doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\offer_doc.exe TID: 5440	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe TID: 3108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe TID: 3676	Thread sleep count: 9610 > 30	Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

Window / User API: threadDelayed 9610

Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\offer_doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\offer_doc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe	Thread delayed: delay time: 45877			Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: offer_doc.exe, 00000003.00000003.473613333.00000000010B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\offer_doc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

Code function: 3_2_066AB210 LdrInitializeThunk,

3_2_066AB210

Source: C:\Users\user\Desktop\offer_doc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\offer_doc.exe

Memory written: C:\Users\user\Desktop\offer_doc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

Process created: C:\Users\user\Desktop\offer_doc.exe C:\Users\user\Desktop\offer_doc.exe

Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Users\user\Desktop\offer_doc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Users\user\Desktop\offer_doc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\offer_doc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	1 Credentials in Registry	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
offer_doc.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx
offer_doc.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.0.offer_doc.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://api.ipify.org%%startupfolder%	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://mail.rwan.asia	0%	Avira URL Cloud	safe
http://dzByIm.com	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://hI6edvnAmdv.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.rwan.asia	119.59.104.27	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%%startupfolder%	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.goodfont.co.kr	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.rwan.asia	offer_doc.exe, 00000003.00000002.678536332.00000000030EA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dzByIm.com	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	offer_doc.exe, 00000000.00000002.434864485.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://hI6edvnAmdv.org	offer_doc.exe, 00000003.00000002.678536332.00000000030EA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
119.59.104.27	mail.rwan.asia	Thailand		56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680343
Start date and time: 08/08/202212:35:50	2022-08-08 12:35:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	offer_doc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 88 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, licensing.mp.microsoft.com, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, storeedgefd.dsx.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:37:00	API Interceptor	759x Sleep call for process: offer_doc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
METRABYTE-TH453LadplacoutJorakhaebuaTH	4R45357rJb.dll	Get hash	malicious	Browse	119.59.96.171
	0628222 _TOP.exe	Get hash	malicious	Browse	119.59.104.13
	SecuriteInfo.com.NSIS.Injector.AYR.25274.exe	Get hash	malicious	Browse	103.30.127.7
	R8y5nWeHzN.exe	Get hash	malicious	Browse	103.30.127.7
	PO_0002015153,pdf.exe	Get hash	malicious	Browse	119.59.104.13
	SR20220600525003,pdf.exe	Get hash	malicious	Browse	119.59.104.13
	09062022.xls	Get hash	malicious	Browse	119.59.126.63
	nFRbz7jrkO.dll	Get hash	malicious	Browse	119.59.125.140
	nFRbz7jrkO.dll	Get hash	malicious	Browse	119.59.125.140
	6BV8I2Luce.dll	Get hash	malicious	Browse	119.59.125.140
	Company Profile.exe	Get hash	malicious	Browse	119.59.97.17
	iH3hkt6Jwi.dll	Get hash	malicious	Browse	119.59.125.140
	o96osW4H1R.dll	Get hash	malicious	Browse	119.59.125.140
	vB7vDn9SwA.dll	Get hash	malicious	Browse	119.59.125.140
	iH3hkt6Jwi.dll	Get hash	malicious	Browse	119.59.125.140
	KZhK3WeFEd.dll	Get hash	malicious	Browse	119.59.125.140
	o96osW4H1R.dll	Get hash	malicious	Browse	119.59.125.140
	vSDDpyhqrI.dll	Get hash	malicious	Browse	119.59.125.140
	nnQLG95Iw5.dll	Get hash	malicious	Browse	119.59.125.140
	znINSa9qND.dll	Get hash	malicious	Browse	119.59.125.140

Process:	C:\Users\user\Desktop\offer_doc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.782708595845613
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	offer_doc.exe
File size:	833536
MD5:	915026107719604ff39f95cd37c6da08
SHA1:	7708c1a71b95b019ff7d02e295938b342f2bdfb7
SHA256:	f6d4110e70ad9d1525395ad0f693bb5132d7684c989bc2e6ab2e4b12a22223f0
SHA512:	96a6c907bf2de1eb5e72c702a91a541b1d34f2ea176fc669f103ad7c80ea1d3e534632a5262215251d077c111f50dcd3d1828c58973ce598c6d22628d9d167f3
SSDEEP:	24576:NBZFxgV10k+YG7Cbgu8KPVeCwZOe9IbUDHDl:1gVWCFzDPVeCwc7U
TLSH:	2E05BF1BBF147308C5A76AB5EE0BBD6267F61C5D3135E0783A647C4A4AFF301E52242A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4cceaa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F0B69A [Mon Aug 8 07:09:14 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcce58	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcaeb0	0xcb000	False	0.8195620381773399	PGP symmetric key encrypted data - Plaintext or unencrypted data	7.788970576048009	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x390	0x400	False	0.3740234375	data	2.8957942416950724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xce058	0x334	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.5119.59.104.27497195872030171 08/08/22-12:37:22.771751	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49719	587	192.168.2.5	119.59.104.27
192.168.2.5119.59.104.27497195872840032 08/08/22-12:37:22.771866	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49719	587	192.168.2.5	119.59.104.27
192.168.2.5119.59.104.27497195872851779 08/08/22-12:37:22.771866	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49719	587	192.168.2.5	119.59.104.27

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 12:37:20.559009075 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:20.761368036 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:20.761497974 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:21.500310898 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:21.510185957 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:21.747618914 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:21.749319077 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:21.951539040 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:21.952100992 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.158607006 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.164627075 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.366159916 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.366766930 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.569576025 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.570023060 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.770673990 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.770766020 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.771750927 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.771866083 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.772742987 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.772816896 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.973253965 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.973604918 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:23.125147104 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:23.167823076 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:39:00.131582975 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:39:00.333028078 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:39:00.333506107 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:39:00.334780931 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:39:00.535305977 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:39:00.536053896 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:39:00.536117077 CEST	49719	587	192.168.2.5	119.59.104.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 12:37:20.161004066 CEST	51769	53	192.168.2.5	8.8.8.8
Aug 8, 2022 12:37:20.532987118 CEST	53	51769	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 12:37:20.161004066 CEST	192.168.2.5	8.8.8.8	0x3028	Standard query (0)	mail.rwan.asia	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 12:37:20.532987118 CEST	8.8.8.8	192.168.2.5	0x3028	No error (0)	mail.rwan.asia		119.59.104.27	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 8, 2022 12:37:21.500310898 CEST	587	49719	119.59.104.27	192.168.2.5	220 ns61.hostinglotus.net ESMTP Exim 4.94.2 Mon, 08 Aug 2022 17:30:23 +0700
Aug 8, 2022 12:37:21.510185957 CEST	49719	587	192.168.2.5	119.59.104.27	EHLO 724536
Aug 8, 2022 12:37:21.747618914 CEST	587	49719	119.59.104.27	192.168.2.5	250-ns61.hostinglotus.net Hello 724536 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 8, 2022 12:37:21.749319077 CEST	49719	587	192.168.2.5	119.59.104.27	AUTH login aW5mb0Byd2FuLmFzaWE=
Aug 8, 2022 12:37:21.951539040 CEST	587	49719	119.59.104.27	192.168.2.5	334 UGFzc3dvcmQ6
Aug 8, 2022 12:37:22.158607006 CEST	587	49719	119.59.104.27	192.168.2.5	235 Authentication succeeded
Aug 8, 2022 12:37:22.164627075 CEST	49719	587	192.168.2.5	119.59.104.27	MAIL FROM:<info@rwan.asia>
Aug 8, 2022 12:37:22.366159916 CEST	587	49719	119.59.104.27	192.168.2.5	250 OK
Aug 8, 2022 12:37:22.366766930 CEST	49719	587	192.168.2.5	119.59.104.27	RCPT TO:<africawire2018@gmail.com>
Aug 8, 2022 12:37:22.569576025 CEST	587	49719	119.59.104.27	192.168.2.5	250 Accepted
Aug 8, 2022 12:37:22.570023060 CEST	49719	587	192.168.2.5	119.59.104.27	DATA
Aug 8, 2022 12:37:22.770766020 CEST	587	49719	119.59.104.27	192.168.2.5	354 Enter message, ending with "." on a line by itself
Aug 8, 2022 12:37:22.772816896 CEST	49719	587	192.168.2.5	119.59.104.27	.
Aug 8, 2022 12:37:23.125147104 CEST	587	49719	119.59.104.27	192.168.2.5	250 OK id=1oL01g-00Ephe-V7
Aug 8, 2022 12:39:00.131582975 CEST	49719	587	192.168.2.5	119.59.104.27	QUIT
Aug 8, 2022 12:39:00.333028078 CEST	587	49719	119.59.104.27	192.168.2.5	221 ns61.hostinglotus.net closing connection

Target ID:	0
Start time:	12:36:51
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\offer_doc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\offer_doc.exe"
Imagebase:	0x520000
File size:	833536 bytes
MD5 hash:	915026107719604FF39F95CD37C6DA08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_AgentTesla_e577e17e, Description: unknown, Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	12:37:02
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\offer_doc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\offer_doc.exe
Imagebase:	0x980000
File size:	833536 bytes
MD5 hash:	915026107719604FF39F95CD37C6DA08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_AgentTesla_e577e17e, Description: unknown, Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	185
Total number of Limit Nodes:	11

Executed Functions

Function 07105DC8 Relevance: 2.2, Strings: 1, Instructions: 983COMMON

Download Yara Rule

Strings

UUUU, xrefs: 0710629A

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: 1a5e5e0432d3246e3253de4227a4494c3b52b5790efb7849b167c51dc1035a2c
Instruction ID: 49ea9e0915ef51d38b9c60fcf88d5132d7ba1a57a727b345ddceb80a14161364
Opcode Fuzzy Hash: 1a5e5e0432d3246e3253de4227a4494c3b52b5790efb7849b167c51dc1035a2c
Instruction Fuzzy Hash: 3DA2C675A00228CFDB64CF69C984A99BBF2FF89304F1581E9D509AB365DB319E91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06ED41D0 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.452901218.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed0000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c196af66660c35bb659ad67ddcd3ec091d5708553379c4589b496136c7f75ba
Instruction ID: 5f02be53f90b42327fb7b70e0f37ca85df6f7fd369e24b164d712a3572dabf38
Opcode Fuzzy Hash: 9c196af66660c35bb659ad67ddcd3ec091d5708553379c4589b496136c7f75ba
Instruction Fuzzy Hash: 2A123734A10218CFCB54DF68D884A9DB7F2FF85305F1585A9E909AB265DB30ED86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC1D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BFC248
GetCurrentThread.KERNEL32 ref: 00BFC285
GetCurrentProcess.KERNEL32 ref: 00BFC2C2
GetCurrentThreadId.KERNEL32 ref: 00BFC31B

Strings

H, xrefs: 00BFC347

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: cfbe194571669dfb28afd10e2b6df28c74d9452c68c9f82cb85916a010345ab8
Instruction ID: b1a28aa7cdd7356e026630e1d1aa6430d12ab3478632c640197df5a6bf39a70c
Opcode Fuzzy Hash: cfbe194571669dfb28afd10e2b6df28c74d9452c68c9f82cb85916a010345ab8
Instruction Fuzzy Hash: 615175B09042498FDB14CFA9D5487AEBFF0EF89314F24C49AE449B32A1C7345888CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC1E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00BFC248
GetCurrentThread.KERNEL32 ref: 00BFC285
GetCurrentProcess.KERNEL32 ref: 00BFC2C2
GetCurrentThreadId.KERNEL32 ref: 00BFC31B

Strings

H, xrefs: 00BFC347

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: 0586281f110dc8e4267c068d3d17d6e459da542dd95905b3b3086c9f660c28a8
Instruction ID: 65570e5aeed111e2f590e8e5f7513c67e2c9b82050d7c253b4001eba991ebbe8
Opcode Fuzzy Hash: 0586281f110dc8e4267c068d3d17d6e459da542dd95905b3b3086c9f660c28a8
Instruction Fuzzy Hash: EC5142B09042088FDB14CFA9D588BAEBFF1EF89314F24845EE449B7290C7756988CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0710F6A8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0710F8DE

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fc3c835a65563e7111a7acbbd4668b6bd9c5e618be71bd6cfb32a82ba7354300
Instruction ID: d1eba6f7a3dc03a3314236495e7ae4815aea6c230b8a761846b8fc51201cdef1
Opcode Fuzzy Hash: fc3c835a65563e7111a7acbbd4668b6bd9c5e618be71bd6cfb32a82ba7354300
Instruction Fuzzy Hash: 7C916DB1D00219DFDB21CF68C845BDDBBB6BF48314F048569E849A7290DBB49986CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00BF9F08 Relevance: 1.7, APIs: 1, Instructions: 190COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BFA14E

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 888c96084876822cd525f60b2fd2281f0c79ccc772db25d6dfca5eb0197ac46f
Instruction ID: 71085bfaa97d4a0d0a8823d17f7e03c99cdcbd2653b2d6805a8a5164e9d728aa
Opcode Fuzzy Hash: 888c96084876822cd525f60b2fd2281f0c79ccc772db25d6dfca5eb0197ac46f
Instruction Fuzzy Hash: FA710370A00B098FD724DF29D04176AB7F1FF88304F04896ED58AD7A50DB75E95A8F91

Uniqueness

Uniqueness Score: -1.00%

Function 00BF5364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00BF5421

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9a75d8d03ad6ceeeb67db583a66db4118095322794923ac27ae3786d4b53d39f
Instruction ID: 42960b2e9efd4e9a2cd5d6673638917987d60ac5e0f2a322316d8539c07a52df
Opcode Fuzzy Hash: 9a75d8d03ad6ceeeb67db583a66db4118095322794923ac27ae3786d4b53d39f
Instruction Fuzzy Hash: BC410471C0461CCFDB24CFA9C844B9DBBF1BF89308F21805AD548AB251DB75598ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BF3E18 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00BF5421

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a2460ca55945e609a4be9c6390e8031fbb83a69aeab09475326bd72594bc3f50
Instruction ID: 8cb884b2c495817e01acd409c4f38ef1aaffbe28a4b99e506ad65c403a71a7e4
Opcode Fuzzy Hash: a2460ca55945e609a4be9c6390e8031fbb83a69aeab09475326bd72594bc3f50
Instruction Fuzzy Hash: C4411271C0461CCBDB24DFA9C884BDDBBF5BF88308F218059D549AB251DB75698ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 06ED9F4C Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06EDBD95,?,?), ref: 06EDBE47

Memory Dump Source

Source File: 00000000.00000002.452901218.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed0000_offer_doc.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a3936cb4bc5f3935ac7057084fd2d3ff0963694456105a9a133b43c3edbccd2a
Instruction ID: 0bbc6b3826f8cd4908c4e129b68fbdb9d270d6cc1905ffea0df0d6f29dda09f1
Opcode Fuzzy Hash: a3936cb4bc5f3935ac7057084fd2d3ff0963694456105a9a133b43c3edbccd2a
Instruction Fuzzy Hash: 0831DDB5D003099FDB50CF9AD884AEEBBF4EF48224F15842AE919A7210D374A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06EDBDA8 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06EDBD95,?,?), ref: 06EDBE47

Memory Dump Source

Source File: 00000000.00000002.452901218.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed0000_offer_doc.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: c9b9a9c404abf1a971d2b8ba72c21fa3e3ad26c8273f7d2a58968edeed4b42c5
Instruction ID: 7e7c246340a22161e6cf8d698e7157e74277e075cfd649c801ba8023406ed00a
Opcode Fuzzy Hash: c9b9a9c404abf1a971d2b8ba72c21fa3e3ad26c8273f7d2a58968edeed4b42c5
Instruction Fuzzy Hash: 2D31EEB5D003099FDB50CF9AD880ADEBBF4FF48324F15842AE919A7210D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0710F390 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0710F420

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 246c86442042d5b040f84506fb093bd4cf58a5810ae01ec495cf2f43d42cf87f
Instruction ID: 801013f3634dc37208e5b2ea72143b9e2e9d0a10187dcffaf72976eab1c9f504
Opcode Fuzzy Hash: 246c86442042d5b040f84506fb093bd4cf58a5810ae01ec495cf2f43d42cf87f
Instruction Fuzzy Hash: 212127B59003199FCB10CFA9C885BDEBBF5FF88314F44842AE919A7280C7789945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC40A Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BFC497

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f527cba7ac22464023af1b125188bad28bfa598c26624c09d02568d04ade4ae3
Instruction ID: 18131b36c39800b83afc2a018c62dfefd57f3535d4b9c669bc6d940078d17517
Opcode Fuzzy Hash: f527cba7ac22464023af1b125188bad28bfa598c26624c09d02568d04ade4ae3
Instruction Fuzzy Hash: A621F4B59002489FDB10CFA9D584AEEBFF4EF48320F14851AE954B3310C378A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0710F4B0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0710F530

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 64def3be929dbe8c9b90a9c011b8c6d256fc361c1a5dc6aa6e3ee2c9b0316088
Instruction ID: ad7e1d3ede4e370fc62ca3b8952cdb2b0cada34d8d699eb2d345354710201711
Opcode Fuzzy Hash: 64def3be929dbe8c9b90a9c011b8c6d256fc361c1a5dc6aa6e3ee2c9b0316088
Instruction Fuzzy Hash: 912116B19002199FCB10CFAAC884AEEBBB5FF88314F54842AE519A7240C7749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0710F108 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0710F186

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: abe1a7586aec562593ffa3cd48b07b8ec8ffe8351c7722f69b1550fea4710701
Instruction ID: aee595b822daa3d3ce1f345392a54eaacf250b2752eddf747b37ffe64444cbbd
Opcode Fuzzy Hash: abe1a7586aec562593ffa3cd48b07b8ec8ffe8351c7722f69b1550fea4710701
Instruction Fuzzy Hash: 5B213AB1D003099FDB10CFAAC4857EEBBF4EF89224F548429D559B7280C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFC410 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BFC497

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f264d9b95dd616982f228e5de14f0857a734ec7d85dabb90e50fdc9919c5189
Instruction ID: ce8df0fa7fc77e31bbc0b33e781aafb75da4a138d923ec2b39fd1aa84e882955
Opcode Fuzzy Hash: 7f264d9b95dd616982f228e5de14f0857a734ec7d85dabb90e50fdc9919c5189
Instruction Fuzzy Hash: 0221E3B59002089FDB10CF9AD584AEEBBF4EB48320F14841AE914B3310C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BF9468 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BFA1C9,00000800,00000000,00000000), ref: 00BFA3DA

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 75b6cf6d210d54e668e88235dad6906f6cb035de9eb12c14eab96113b13174b9
Instruction ID: ec4e9d463ef42119275529a1296dbf952f2e5a369bdb3c8dab65cd8eafcf919a
Opcode Fuzzy Hash: 75b6cf6d210d54e668e88235dad6906f6cb035de9eb12c14eab96113b13174b9
Instruction Fuzzy Hash: 641103B69042099FDB14CF9AC444BAEFBF4EB89324F14846ED519B7600C374A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA368 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BFA1C9,00000800,00000000,00000000), ref: 00BFA3DA

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ef904d3529791b64fe1cae5c302757bda728c81b12767873d90e1f7253d08ff2
Instruction ID: 612326fa8c520bbc0cb84b0b6d2700cd0dd47c3e82a973309b6da37e7b299394
Opcode Fuzzy Hash: ef904d3529791b64fe1cae5c302757bda728c81b12767873d90e1f7253d08ff2
Instruction Fuzzy Hash: 4A1133B69002498FDB14CFAAC444BEEFBF4EB89310F04842ED519B7600C374A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0710F2A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0710F30E

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0650c22bb6c6e299c8f0b5d4b87ba6d038c665c151f5c90c20c9815148c8564d
Instruction ID: eb67ad459fc4400c4c148b848462a552c7767689d1633ec6f5872fdb1b6d9c1d
Opcode Fuzzy Hash: 0650c22bb6c6e299c8f0b5d4b87ba6d038c665c151f5c90c20c9815148c8564d
Instruction Fuzzy Hash: B51137769002099FCB14CFAAC844BDFBBF5EF88324F148819D519B7250C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0710F028 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0710F08A

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a33ef09b506a3ddb226c6edfb532dc671c760e345cdc0b5b9f98ef5490a1763c
Instruction ID: 0138c90b35fdffecc96a855cc6be1da79e6f7b40fe0b9d67d655d27d24a5de69
Opcode Fuzzy Hash: a33ef09b506a3ddb226c6edfb532dc671c760e345cdc0b5b9f98ef5490a1763c
Instruction Fuzzy Hash: C91166B1D002088FDB24CFAAC4447DEFBF9AF88224F14881AC519B7240C774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00BFA0E8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BFA14E

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2660cd2a73fc22e06f5241a4f856b159b8ca98e11046a63ab4e64555fe7b9462
Instruction ID: bad4c9b03a915e06d43ef695ca40da238ca0c50bb81101465f66e62b488916ff
Opcode Fuzzy Hash: 2660cd2a73fc22e06f5241a4f856b159b8ca98e11046a63ab4e64555fe7b9462
Instruction Fuzzy Hash: A411C0B6C002498FDB14CF9AC444A9EBBF4EF89324F15855AD519B7600C375A649CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06ED4F28 Relevance: .9, Instructions: 909COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.452901218.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ed0000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34af4ee11a5f63baa6b29ff33bd6c92401919e66cd3687a8cbe716e13308c6bb
Instruction ID: 0aa5821b023f6a5191e2185e8ade47b72950d54d24c54d520e316b759540c3c5
Opcode Fuzzy Hash: 34af4ee11a5f63baa6b29ff33bd6c92401919e66cd3687a8cbe716e13308c6bb
Instruction Fuzzy Hash: 16726730E00319CFCB50DFA8C984AADBBF2FF88304F1595A9D446AB255D730A996CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BFF0D0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29018155eb4d4d75e310a851b365f75c4d90a4b9cd1e9c0ff956b744dc4063be
Instruction ID: ab5239f5e88fded2119cb752e8de8353e2d99259ce79a4f1154a7a6465ce7b36
Opcode Fuzzy Hash: 29018155eb4d4d75e310a851b365f75c4d90a4b9cd1e9c0ff956b744dc4063be
Instruction Fuzzy Hash: 9A128AF2411F45CEE718CF66ECA85893B61B78532AF504B09D2653AAF2D7B8114ECF84

Uniqueness

Uniqueness Score: -1.00%

Function 00BFCD04 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.433704991.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bf0000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4345cf59d15974db60c1a4b0e25240c100d5b53181ad4281cce72ee2ce143ab8
Instruction ID: ea35f8e207dadd5c5ed69cbe250deabef65c837db19c39c8c20ca83bad4a5805
Opcode Fuzzy Hash: 4345cf59d15974db60c1a4b0e25240c100d5b53181ad4281cce72ee2ce143ab8
Instruction Fuzzy Hash: 32A14D36E0021D8FCF05DFA5C9445ADBBF2FF85300B1585BAEA15AB261EB31E959CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07105590 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5976718f4d39fcb2d2c9ceb93e6553d7662c4f2704d01089604e9f283018be3b
Instruction ID: 8ac713c5d078958c60ad48060350d3efb2a4b0435c294b196d57b4c6095c036b
Opcode Fuzzy Hash: 5976718f4d39fcb2d2c9ceb93e6553d7662c4f2704d01089604e9f283018be3b
Instruction Fuzzy Hash: 74614D70E052488FD749EF6BE841A8ABBF3EBC4305F04C47AE1149B264EB725947CB90

Uniqueness

Uniqueness Score: -1.00%

Function 071055A0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0692148e67da645912b0c91e9eb0c1eccf6ba8468c4d450a03abc2e0cd560a12
Instruction ID: 3f5b93771306f03a1086bc5ae235bf32b6ee83a73fd2dc245f2d69aa568da005
Opcode Fuzzy Hash: 0692148e67da645912b0c91e9eb0c1eccf6ba8468c4d450a03abc2e0cd560a12
Instruction Fuzzy Hash: 07612C70E052488FD749EF6BE841A99BBF3EBC4305F04C47AE1149B264EB725946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07106F9A Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5c1f00111a1695bbe336eeca225bbb55a7a7461af045085aa18df30023f3f5
Instruction ID: 91f359ba7de50b66ee31627a7a18faa274a4b03cdca507c41ae696be20525eda
Opcode Fuzzy Hash: 6f5c1f00111a1695bbe336eeca225bbb55a7a7461af045085aa18df30023f3f5
Instruction Fuzzy Hash: 254134B1E05A588BEB5CCF6B8D4028AFAF7BFC9201F14C5BA855CAA254EB7015428E41

Uniqueness

Uniqueness Score: -1.00%

Function 07106FA8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.454033005.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c8e6a3d9eb9ba5b0a91696a65be40b15a9da6ce719976ba284e870faae05c1
Instruction ID: 38e033e18de93df67c094d5329d806c8e8748c42386bc5728b3884ee9fb791f2
Opcode Fuzzy Hash: f6c8e6a3d9eb9ba5b0a91696a65be40b15a9da6ce719976ba284e870faae05c1
Instruction Fuzzy Hash: 5F4130B1E05A588BEB1CCF6B8D4068EFAF7BFC9301F14C5BA850DAA259EB7015458E41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: offer_doc.exePID: 4516, Parent PID: 5428COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.9%
Total number of Nodes:	105
Total number of Limit Nodes:	7

Executed Functions

Function 0637C0C4 Relevance: 3.2, Instructions: 3151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3daf4cc2bf43b45a719119c778edd3d63f9db2c0c9177e06939d0e91e99abf4b
Instruction ID: a48c7fa3c4087574167f1c0df80b366e16cd5f7fb246f81510e47d8ca9790754
Opcode Fuzzy Hash: 3daf4cc2bf43b45a719119c778edd3d63f9db2c0c9177e06939d0e91e99abf4b
Instruction Fuzzy Hash: 6E631F31D106598ECB61EF68C844A9DF7B1FF89304F15D69AE458B7221EB34AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0637BFB8 Relevance: 2.9, Instructions: 2896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766066d5a47f0ac04b57871fd8b27b8f987ca48b48167937b079293b4ecbe0a8
Instruction ID: c7cfae2cc61d118354c26ec40ea3e1656a83e13662594aa8cc7f661e171367a7
Opcode Fuzzy Hash: 766066d5a47f0ac04b57871fd8b27b8f987ca48b48167937b079293b4ecbe0a8
Instruction Fuzzy Hash: 4963FE30D10659CECB61EF68C884A99F7B1FF99300F15D69AE45877221EB74AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06378440 Relevance: 1.7, Instructions: 1739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500592bdbb41b3fd3597b606499908c4fe18ddbdaeb10443353bfc9d7c87a2b6
Instruction ID: 2dcde4bab825ade37b9cb361d7d2de0769ed041f2818571fc3e503ebe2688a54
Opcode Fuzzy Hash: 500592bdbb41b3fd3597b606499908c4fe18ddbdaeb10443353bfc9d7c87a2b6
Instruction Fuzzy Hash: C2D2B030F002059FDB64DBA9D888BADBBE2AF85314F148539E505DB3A5DB38DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066AB210 Relevance: 1.7, APIs: 1, Instructions: 185
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 066AB251

Memory Dump Source

Source File: 00000003.00000002.682188533.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66a0000_offer_doc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58dcd78f65c514e706d786dc5afbe88c3af18e24c9a5454ebafc6f71ef156f1b
Instruction ID: c913cfb07145a24ba2e9dbc8ac37fdd5836cebc14eacf65dcb11148e18ba30b6
Opcode Fuzzy Hash: 58dcd78f65c514e706d786dc5afbe88c3af18e24c9a5454ebafc6f71ef156f1b
Instruction Fuzzy Hash: 27712830A00309CFDB54EFB5D5586AEBBB2EF84309F108529D006AB7A8DB759D46CF81

Uniqueness

Uniqueness Score: -1.00%

Function 066F4190 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<Ul, xrefs: 066F437E

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID:
String ID: <Ul
API String ID: 0-802154676
Opcode ID: db8187f4ab6721d3e958419844a32afcb2aae7871820f5f1dce270049baecf10
Instruction ID: 30250374f2a9549e6642147d8b619dda6ab34c80d653bfb2fc90294c0823dab4
Opcode Fuzzy Hash: db8187f4ab6721d3e958419844a32afcb2aae7871820f5f1dce270049baecf10
Instruction Fuzzy Hash: B8D15670A107048FDBA4DF69D444BAABBF1BF88304F108929E54AEBB51DB35E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 066F64CD Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066F65EA

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 650dc459a69e5b2b050c717f02ce5861e988f1d1cbeb9a4e0ac60867313effa0
Instruction ID: e088dd867a0157491001bb0f0c3aa7964af3fe82b500787d354d419204e10bcf
Opcode Fuzzy Hash: 650dc459a69e5b2b050c717f02ce5861e988f1d1cbeb9a4e0ac60867313effa0
Instruction Fuzzy Hash: EE51CEB1D102099FDF14CFAAC884ADEBBB5FF88314F24812AE919AB210D7709845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066A6A08 Relevance: 1.6, APIs: 1, Instructions: 117
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 066A6B21

Memory Dump Source

Source File: 00000003.00000002.682188533.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66a0000_offer_doc.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2c9882a8a7cd99d96f87eba2e48b4011699243533a52b0225cc9a145ead6b060
Instruction ID: cfefa63fcc297c5ded2aff0ee7b74359b192463fc7d2f6992610e17e13347aa8
Opcode Fuzzy Hash: 2c9882a8a7cd99d96f87eba2e48b4011699243533a52b0225cc9a145ead6b060
Instruction Fuzzy Hash: 114104B1E003589FCB10CF99C984A9EBBF5AF48704F18812AE819EB354D7749D16CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066A6752 Relevance: 1.6, APIs: 1, Instructions: 116
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 066A6864

Memory Dump Source

Source File: 00000003.00000002.682188533.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66a0000_offer_doc.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 272546e133b71114f69c95c80f80c6445f9834965c304b30cb4c5c14cda285aa
Instruction ID: 6623ac9d8dd6d75f1da75cc20b0488cc7fdd1b7ad5fe6f582ddd0e7559100844
Opcode Fuzzy Hash: 272546e133b71114f69c95c80f80c6445f9834965c304b30cb4c5c14cda285aa
Instruction Fuzzy Hash: 184157B1D003499FDB40CF99C584B9EFBF5AF49314F19816AE408AB341D775A845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066F64D8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 066F65EA

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 41f015cc710972e792fa52f723f970814b95ae87205bb1b17db6106cc7f1460d
Instruction ID: 404aedf15bdf41861069d099d5c715b6c8711d76ad12b00c3ff9bd560645afb1
Opcode Fuzzy Hash: 41f015cc710972e792fa52f723f970814b95ae87205bb1b17db6106cc7f1460d
Instruction Fuzzy Hash: 7041CEB1D103499FDB14CF9AC884ADEBBB5BF88314F24822AE919AB210D7759845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 066F3C24 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 066F8CD1

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c988f08a5d002fc85dfb7a129aa75d89932f66e6b2332051042455155f7514b8
Instruction ID: 8194e2e9017b7ae24fa2048a45d02392450f5efae85408b7d83c8e423371390f
Opcode Fuzzy Hash: c988f08a5d002fc85dfb7a129aa75d89932f66e6b2332051042455155f7514b8
Instruction Fuzzy Hash: 3C414CB4910205CFDB54CF59C488AAAFBF5FF88314F25859DD619AB321D774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0140C8E4 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0140C9BA

Memory Dump Source

Source File: 00000003.00000002.675700052.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1400000_offer_doc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9e1c56d1476e2b7e18011d8401c46f639263fbbcf091137c8af537b0233c4c96
Instruction ID: b25565e3e555803ef313f7aa98c7790c3d346645f4e9e03bd713592a44822f8f
Opcode Fuzzy Hash: 9e1c56d1476e2b7e18011d8401c46f639263fbbcf091137c8af537b0233c4c96
Instruction Fuzzy Hash: 8E3127B0D00249CFDB15CFA9C485BEEBFB1BB48314F14826AE815A7390D7749486CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01409DC0 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0140C9BA

Memory Dump Source

Source File: 00000003.00000002.675700052.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1400000_offer_doc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 56c95dec3fbc63f2d0a6f615155ce20c4c56410e35260a6d0c9132a60cb9ffe4
Instruction ID: 8355e8b234a011b20acfa8ef0216932355270214d49c2b1e6780b48c4284af7d
Opcode Fuzzy Hash: 56c95dec3fbc63f2d0a6f615155ce20c4c56410e35260a6d0c9132a60cb9ffe4
Instruction Fuzzy Hash: EA3136B0D00249DFDB15CFAAC485BEEBBB1BB08314F14826AE815A7390D7749486CF96

Uniqueness

Uniqueness Score: -1.00%

Function 066A60B4 Relevance: 1.6, APIs: 1, Instructions: 88
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 066A6B21

Memory Dump Source

Source File: 00000003.00000002.682188533.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66a0000_offer_doc.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 39de4475a4fe9dc41389afbdd0621565006441a49c4e4692eceb191e53f6762c
Instruction ID: e1fd00498d4aea9a2c8017a0a6dd1f3f3d656507c36e82cdb3d6955192c19b8a
Opcode Fuzzy Hash: 39de4475a4fe9dc41389afbdd0621565006441a49c4e4692eceb191e53f6762c
Instruction Fuzzy Hash: E931CFB1D003589FCB10CF99C884A9EBBF5BF48714F59812AE819AB354D7709915CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066AB1B1 Relevance: 1.6, APIs: 1, Instructions: 82libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 066AB251

Memory Dump Source

Source File: 00000003.00000002.682188533.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66a0000_offer_doc.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8d7ee64bcbba4b543c0389684ff1c0d94b5bcd40f6efae6e7d68cfc4510029c
Instruction ID: f1a7f0044f6af1d83c293124cae95127213978a5cd8da5c2938af8a54da7c881
Opcode Fuzzy Hash: e8d7ee64bcbba4b543c0389684ff1c0d94b5bcd40f6efae6e7d68cfc4510029c
Instruction Fuzzy Hash: 3F317A30A01349DFCB19DFA4D9996ADBBB2EF81304F14846AD040DB3A6DB359C46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 066A67B0 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 066A6864

Memory Dump Source

Source File: 00000003.00000002.682188533.00000000066A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66a0000_offer_doc.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8224d4c2570042a6545c14e8f1c67a8a4a266b0beb858164fd921494f5231680
Instruction ID: 3ffa0eddfc796e2ffbb176732ac08ca281946766ef4db023c77189b17942b37a
Opcode Fuzzy Hash: 8224d4c2570042a6545c14e8f1c67a8a4a266b0beb858164fd921494f5231680
Instruction Fuzzy Hash: E031EDB0D013899FDB04CF99C584A8EFBF5AF49304F29816AE809AB341C7759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01404F1F Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01404FED

Memory Dump Source

Source File: 00000003.00000002.675700052.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1400000_offer_doc.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 3a27324dbc9a1cb39826cb6604eb6fb51d5a806f7925cb068a6b9a1c7509f7e8
Instruction ID: 92880a8ea08e2dd590dce2ee23341ab7cca9f96431aeb5f67a022a982da43ad2
Opcode Fuzzy Hash: 3a27324dbc9a1cb39826cb6604eb6fb51d5a806f7925cb068a6b9a1c7509f7e8
Instruction Fuzzy Hash: D5219A708113058FDB11DF5AE04D39EBFF0EF05324F14842EE504A62A1DB7994458FA1

Uniqueness

Uniqueness Score: -1.00%

Function 01404CBB Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01404D42

Memory Dump Source

Source File: 00000003.00000002.675700052.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1400000_offer_doc.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 7d4414c12de93f006dd3d0c12b196886a46d0b48dff9e642fcd1f550196e0ad5
Instruction ID: c7f2865f78614d1efd295d4cfa4a6e41b1c52b76a93efa56e2c3e65508164c9d
Opcode Fuzzy Hash: 7d4414c12de93f006dd3d0c12b196886a46d0b48dff9e642fcd1f550196e0ad5
Instruction Fuzzy Hash: 4621CAB18013448FDB11DFA9D51879EBFF0EF49324F28806AD405A76A1D7385406CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01404CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 01404D42

Memory Dump Source

Source File: 00000003.00000002.675700052.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1400000_offer_doc.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 406c0fe0e3cad0b232d75290440da750196617608ca18137a02d84c1200de3f9
Instruction ID: c23ac853a0fb773acd3e000edff1c56f06b75f95afa1e34678a192259c73d46e
Opcode Fuzzy Hash: 406c0fe0e3cad0b232d75290440da750196617608ca18137a02d84c1200de3f9
Instruction Fuzzy Hash: CA119A719013458FDB10DFAAD408B9EBFF4EF89324F24802AE505A77A0DB796445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066F4888 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 066F48FA

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 058bda8418da89957da3d23f05a4c81d633c80fc7a45b80b8c7a871f07238a45
Instruction ID: 35e3ad9e98df4554eccfcaf18e9bea2d8afdc54166ae8e8ea14b0b04ea08f5f4
Opcode Fuzzy Hash: 058bda8418da89957da3d23f05a4c81d633c80fc7a45b80b8c7a871f07238a45
Instruction Fuzzy Hash: 461130B2D002499FCB10CF9AD444ADEFBF4EB88324F14842AD929A7700C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066F4890 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 066F48FA

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 07ede74655899ad068dd633821ed40fe18331d813f70e9fa5fa25214575ef974
Instruction ID: 62a9c33f18443da26070a7c7f8a771493106045c3f0d39cac5747b327ac9c06d
Opcode Fuzzy Hash: 07ede74655899ad068dd633821ed40fe18331d813f70e9fa5fa25214575ef974
Instruction Fuzzy Hash: A11112B6D002499FDB10CF9AD444ADEFBF4EB88324F14842AD525A7700C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066F3954 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 066F468E

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e8a889c7b2c98a1d8fcd6581cd17b7fee169c2a9db8343ffcc9aa467046c19aa
Instruction ID: ba25946d8a63de01b08b71f5314aa3e62d492057e28d5432c072fd825b950361
Opcode Fuzzy Hash: e8a889c7b2c98a1d8fcd6581cd17b7fee169c2a9db8343ffcc9aa467046c19aa
Instruction Fuzzy Hash: D61120B1C002498FDB10CF9AC844BDFFBF4EF88224F10841AE919A7600C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066F9CE0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 066FAC25

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1ad5409c40df69e85d8b2f258d0f5d441072bf3be66cb9b419c60c4e5faec024
Instruction ID: c31801222af0dd884fcd602f377a7f32c6ac0c8431bf46b88b00df1284a5c797
Opcode Fuzzy Hash: 1ad5409c40df69e85d8b2f258d0f5d441072bf3be66cb9b419c60c4e5faec024
Instruction Fuzzy Hash: 821103B1900249CFDB50DF99D484BDEFBF4EB49224F148519D519B7700C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 066FABC8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 066FAC25

Memory Dump Source

Source File: 00000003.00000002.682236032.00000000066F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_66f0000_offer_doc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d8583a8523d786ddea6dcb22259760d40abe9972a057f2d20d3262ae8b37ae8e
Instruction ID: 19d52b14b9cd2576d4ed711fbabc7a76c6c12af520eaab61720bf01fbf03c621
Opcode Fuzzy Hash: d8583a8523d786ddea6dcb22259760d40abe9972a057f2d20d3262ae8b37ae8e
Instruction Fuzzy Hash: 1D1112B18002498FDB50DF9AD589BDEFBF8EB88324F248419D559B7700C378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0100DA00 Relevance: 1.1, Instructions: 1098COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.674277845.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100d000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6346e808d32bab65d318039e8e6fb3ee6ffc517bb6d8477fd5108f08faaa9f84
Instruction ID: 51081b89b3a89442294bdbb9fbbde9f97a38f6ea80ef7ae22c8bc36c2609e933
Opcode Fuzzy Hash: 6346e808d32bab65d318039e8e6fb3ee6ffc517bb6d8477fd5108f08faaa9f84
Instruction Fuzzy Hash: 7C42C7B284A3C19FD3474FB488112917FB1EF67225F1A41EAC081CA5A3E26D4D5ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 063761C8 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6b387fd6e72cc9180bfba43e6e5905d47a8cc35d97c99a9623b91d91ca5005
Instruction ID: ed10c3725f053c09ee148523071defb986dee9513a12d9842c9d006c0dd89f21
Opcode Fuzzy Hash: ae6b387fd6e72cc9180bfba43e6e5905d47a8cc35d97c99a9623b91d91ca5005
Instruction Fuzzy Hash: 7A429E30E006048FDBA4DB68C4A5AADB7B2FF86314F148869E409DB761DB39DC49CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06374EB0 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df43a99b9b8047fd9c5e8929798478d282a1e17e57b7b89e604f7f87e13ec65f
Instruction ID: 1bef91809973a86da1cc8763a19a8a5b4a3f29fac38435db4a967b49fb859189
Opcode Fuzzy Hash: df43a99b9b8047fd9c5e8929798478d282a1e17e57b7b89e604f7f87e13ec65f
Instruction Fuzzy Hash: F7129231B142048FDB65DB78D8446AE7BF2AF89325F15846AE405DB361DF38DC09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06376FB0 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1a85f9b103f0383428b78b095a09d48a1ca9a17eaca571c510a07e6479c37d
Instruction ID: 17bb4e1f0e7f7371a7fd3ddbecca61444a5e4be506d69569bdf1e0808d06d4bf
Opcode Fuzzy Hash: 9a1a85f9b103f0383428b78b095a09d48a1ca9a17eaca571c510a07e6479c37d
Instruction Fuzzy Hash: 2D029C31B002098FDB55DBB4D858AADB7F2AF85305F148429E50ADB3A5DF38DD0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 063768D0 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973a58cf2b419bdc15eb2079a4445ed272d7f19908b1b848988afa334b913f86
Instruction ID: 15a319e64802b9349fdc96fac97c045e6b4f4fed91297336be78f656f7c82ac0
Opcode Fuzzy Hash: 973a58cf2b419bdc15eb2079a4445ed272d7f19908b1b848988afa334b913f86
Instruction Fuzzy Hash: 92E15930A00604CFC764DB64D4A9A9DBBF2EF85319F14886DE41A9B761DB39DC4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 06378391 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e799f5f89c3a5056cc0427e20fc7a43894d80e50b421cc7d631d9f1655acb3a1
Instruction ID: d97b1707faf5afb35cd32bef866637cbe21bbec50410cdfcb88778859c344888
Opcode Fuzzy Hash: e799f5f89c3a5056cc0427e20fc7a43894d80e50b421cc7d631d9f1655acb3a1
Instruction Fuzzy Hash: A3D13C30E111099FEBB0DB68D4887ADB7E2EB45314F548876E409DB3A1DB38DD89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0637A0C8 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adba6553c8c388c9af0082514568c3e80f7504d08a24ab7e683568df6fa54fd8
Instruction ID: fe3c7009933aaa96104967f3639a447d58bdc2618ba784fc9f1fbbd09a95bfb5
Opcode Fuzzy Hash: adba6553c8c388c9af0082514568c3e80f7504d08a24ab7e683568df6fa54fd8
Instruction Fuzzy Hash: ED919E30B042098FDB54EFB5D8996AD77F2EF84209B14882DE506DB764DF349D0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0637A068 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5861253c1a6eb9cfc70e7488223836ed3a55b31d6b99ee788e876e8e00da333
Instruction ID: 7c92cea2eb6f8ae941b6ff2cde999163e4019b0d6601e051650bc4382fdf892a
Opcode Fuzzy Hash: e5861253c1a6eb9cfc70e7488223836ed3a55b31d6b99ee788e876e8e00da333
Instruction Fuzzy Hash: 1871A030B053058FDB54EB75D89866E77E2AFC4209F148839E402DB7A4DF39D90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0637BCF8 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2338c40a73a6205773c5a7ace9d0d477ed3fbe0b0cbac94b896476ec1edbfe5e
Instruction ID: 7a2ecd129e058c4d32d0fabc2aabd0922cbda9b2aaa6391972251852ef7b202a
Opcode Fuzzy Hash: 2338c40a73a6205773c5a7ace9d0d477ed3fbe0b0cbac94b896476ec1edbfe5e
Instruction Fuzzy Hash: 8771F430E002048BDB60CF69D8857ADFBF6AFC5304F24C1AAD50A9B795DB79C849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06379C90 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff1bf1e20b0786197b905de55a5bc59f5b0b10da4d7846e3cc0d749a916a610
Instruction ID: 65883503ee173f5cc5ef1115c776cca7f8b48a736f9f2275421e5977c01de62d
Opcode Fuzzy Hash: 5ff1bf1e20b0786197b905de55a5bc59f5b0b10da4d7846e3cc0d749a916a610
Instruction Fuzzy Hash: 6C71E530B013098FCB54EBB9D494AAE7BF2BF89205B148579D005E7765EF38DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0637B980 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee751447cb798f43090607414f81787b3543bc5f5c1b989e8920118398fc9aa
Instruction ID: e088efc152d2a170a705142afdc56b29740a3fa62fdf6c39d68fb0979980a6be
Opcode Fuzzy Hash: bee751447cb798f43090607414f81787b3543bc5f5c1b989e8920118398fc9aa
Instruction Fuzzy Hash: E661D331B0D3858FD7529B78982876A7FF69FA2204F1980B7D185CB397E638CC0A8751

Uniqueness

Uniqueness Score: -1.00%

Function 0637BBF9 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cadfd97085cb84ded29a18bbb066d1fc1d1df4427b8951cae8eb849997d8e34
Instruction ID: c8c4ce8cc241934d437dc70716d92237cda379a8b248adc1f399462876d4098f
Opcode Fuzzy Hash: 4cadfd97085cb84ded29a18bbb066d1fc1d1df4427b8951cae8eb849997d8e34
Instruction Fuzzy Hash: C851FD30F082448FD7614729D94576ABBBA8BD2344F28C1F6D109CFB96D67EC84B8392

Uniqueness

Uniqueness Score: -1.00%

Function 0637A5C9 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bff12c8cebd72e82275aae602aa1535fc383681ee438beb19dc8ddf3905c97
Instruction ID: 21a2c341065472f500645b2a2df1133dc40d58f94f8117f1e16a6ee84974c38c
Opcode Fuzzy Hash: 47bff12c8cebd72e82275aae602aa1535fc383681ee438beb19dc8ddf3905c97
Instruction Fuzzy Hash: 4141E432B083448FD781D77DC855A6E7BF6DF99204F158076E108DB396DA38DD068791

Uniqueness

Uniqueness Score: -1.00%

Function 06376F50 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5407cf68c6bb9c458bb5eb786e5c88ffa538df63e89a0ac611027a4a8f764f
Instruction ID: 4677747f477f54919e122b8a7ed6991c26d8dcac8d7118c10da78150777f8747
Opcode Fuzzy Hash: 4b5407cf68c6bb9c458bb5eb786e5c88ffa538df63e89a0ac611027a4a8f764f
Instruction Fuzzy Hash: D741D335B043088FCB55A779886866E77E3EF89304B508579E50ADB3A5DF38DC0A87D2

Uniqueness

Uniqueness Score: -1.00%

Function 06375430 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5880a66d9b72bbd673bb565415b21ac4add72e6bd6e95a54616a29603f32de1c
Instruction ID: 779ce7c4d0460f3058c8109b57a8fc435a8e4f919b273cd74b0501bb133d63d1
Opcode Fuzzy Hash: 5880a66d9b72bbd673bb565415b21ac4add72e6bd6e95a54616a29603f32de1c
Instruction Fuzzy Hash: 8651FD79E00208DFCB81EFA4E5959CDBBB2FF88305B518926D411A7728DB34AD46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0637542E Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1ae5afea0c43899ad5b2867cd17dfc500c3e392dcd4aeebc47526aa193f7f7
Instruction ID: 7b900623a96d9af2bffe7e63b07f8a29174f8abcff894ad3989a92cefb677129
Opcode Fuzzy Hash: 0c1ae5afea0c43899ad5b2867cd17dfc500c3e392dcd4aeebc47526aa193f7f7
Instruction Fuzzy Hash: 9251FD79E00208DFCB81EFA4E5959CDBBB2FF88306B514926D411A7728DB34AD46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0637F0F0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36315942e00520c72aa325b1fe1f5280da0bccd161c2bf0dcc76420567a68234
Instruction ID: 4f147d03efaf413b3aab0b4b480feb39ef69e61c287dce97c3732e7c9fcb8955
Opcode Fuzzy Hash: 36315942e00520c72aa325b1fe1f5280da0bccd161c2bf0dcc76420567a68234
Instruction Fuzzy Hash: BC41BFB1F002044BDB64DBA9C8857AEBAE2FF89354F54853DD40AEB754CA38D8068791

Uniqueness

Uniqueness Score: -1.00%

Function 06375B19 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9009e82b03f31d2817df4f05bb9d49fbc4a4cffc286f77c26042708f980c40c7
Instruction ID: ba75c62e18732e8f7811aa24306c51cea952d30c23fb9d88fc8325e2bc83a1ef
Opcode Fuzzy Hash: 9009e82b03f31d2817df4f05bb9d49fbc4a4cffc286f77c26042708f980c40c7
Instruction Fuzzy Hash: A531F231F002058FDB68AB74C5586AEB7E6EF88219B144829E402EB354DF38DD4ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06375B28 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87953dfa86102a063aa95d12adf8d42c8af03380bae4add1b062b1ba1be8439e
Instruction ID: d4d2fea38cdb8601e11c7426efe47ed433d21619425439ef100283fb177545f9
Opcode Fuzzy Hash: 87953dfa86102a063aa95d12adf8d42c8af03380bae4add1b062b1ba1be8439e
Instruction Fuzzy Hash: 1F31D230F002048FDB68AB74C554AAEB7E6EF88255B144829E006DB354DF39DC46CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 06376E30 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5beb3533f7757dbce7270ab248e6b2c23c5478de8495da295ad45a66414d5d2d
Instruction ID: 004762aad53965935c0ef774294e61bee60a2e3bfcd1740a13da40c0b692e3e8
Opcode Fuzzy Hash: 5beb3533f7757dbce7270ab248e6b2c23c5478de8495da295ad45a66414d5d2d
Instruction Fuzzy Hash: 3D21D631F006088FC7D0EB79DC56AAE77F2EB89205F14806AE109D7355EB38AD0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 06379B10 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c611aa6367bbf10e0b7e725fa6e787ab029d82c94172e834ec9935137888091e
Instruction ID: a4ef74394b49d5af42fe2ab1fffebdc4b615e6e73356529e050dab08e294ca43
Opcode Fuzzy Hash: c611aa6367bbf10e0b7e725fa6e787ab029d82c94172e834ec9935137888091e
Instruction Fuzzy Hash: 4221E431F042154FCB90EB78CC55A6E77F6EB89214B14846AD508E7395EA38AC0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 06379F48 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c80a647b360b05a4169da6fef80075d7cf5a3b90903c336fdeaf2cc9ad1ce7
Instruction ID: 7a93274466c06dfdff1612cd1b062d5f50a652e4122134458d26e9a9ecdfe1e4
Opcode Fuzzy Hash: 25c80a647b360b05a4169da6fef80075d7cf5a3b90903c336fdeaf2cc9ad1ce7
Instruction Fuzzy Hash: A721B431B042048FCB90EB79DC55AAE77F6EFC9201B54846AE118D7355EB389D0A87D1

Uniqueness

Uniqueness Score: -1.00%

Function 06374E60 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97a9247f198f32e3e08fd60e3ebcdb45326a30c47aa09dbe29436615c369847
Instruction ID: 8d3eb02b955a0efb12cba52d832ed12b74082934a65730d3c1abbe5fa39c0e2b
Opcode Fuzzy Hash: b97a9247f198f32e3e08fd60e3ebcdb45326a30c47aa09dbe29436615c369847
Instruction Fuzzy Hash: 1021BF70E052099FCB54CFA9D884A9EBBF6EB88314F14807AE508D7342E734E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0100E3DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.674277845.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_100d000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9258ad9a869c84451fac0681b4cf033f63f7d8dd1a33d601525d7b17b295550f
Instruction ID: bc5c3bf66daad75d1dca0b06598db510acc2f87fda110a0456bd3aa0a1ef7e55
Opcode Fuzzy Hash: 9258ad9a869c84451fac0681b4cf033f63f7d8dd1a33d601525d7b17b295550f
Instruction Fuzzy Hash: 4F214C71504200DFEB06CF14D5C4B26BBA5FB88324F24C9BDD9895B297C736D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0637A4B0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5ea4298ea713800cbcc98135443b1f71d16c19f1c93a343da6da7cb894c221
Instruction ID: 32b1c3c4906c2dff0b1d2f4a04ed8b048ca896ae7372cade6868d0293f6ffa6b
Opcode Fuzzy Hash: fd5ea4298ea713800cbcc98135443b1f71d16c19f1c93a343da6da7cb894c221
Instruction Fuzzy Hash: A5116034E142048FCB20DB68D480AAE77F5EF89214F0144A6D985DB361EB34ED09CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0637B8B9 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed139f5a528a109c2eba24b6ae5617709a4102e2799f4bc8d4dd398683cb203f
Instruction ID: 50a8e9e70e4a045572373dae22683e906293552113051069b857d0c2eac71bf0
Opcode Fuzzy Hash: ed139f5a528a109c2eba24b6ae5617709a4102e2799f4bc8d4dd398683cb203f
Instruction Fuzzy Hash: 2111B23170D3815FD7069729C819756BFB69BA2204F19C4BBD084CB7A3DA3DCC0A8B11

Uniqueness

Uniqueness Score: -1.00%

Function 0637A4C0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b120f314e9a346651603bc223cc5b43f930c921851ca9e1246e56ca1231fc82b
Instruction ID: 5c096de073c882e2c66765c870a34d7b2f2ebef1ff608fd8ef2fb18e1e038c85
Opcode Fuzzy Hash: b120f314e9a346651603bc223cc5b43f930c921851ca9e1246e56ca1231fc82b
Instruction Fuzzy Hash: C3111C34F141058FCB60DB69D480AAEB3F5EF89224F1144A6E946DB350EB34ED05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06376E90 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1987bed4a515ee94a64d0fcd03dfc2e8d8e62ea87927fdcb61b4adc617d0b3f
Instruction ID: 5c3536063133454f034621345735c820f23aa01be257efc3b87f4c00bb319566
Opcode Fuzzy Hash: e1987bed4a515ee94a64d0fcd03dfc2e8d8e62ea87927fdcb61b4adc617d0b3f
Instruction Fuzzy Hash: 83113031B006188F8B90EB79D8569AE77F6BF892157504429D509E7314EB389D028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0637A6C8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0aafae5a5438ba42ae01a8253fd02335dc136ebb3c4e6ae607cd25042c98b8
Instruction ID: 06ffc2981c93fbc3ee57b8cff45001f16957c5b67b5927b2bf1623e9bb0fd33a
Opcode Fuzzy Hash: 6b0aafae5a5438ba42ae01a8253fd02335dc136ebb3c4e6ae607cd25042c98b8
Instruction Fuzzy Hash: E9113035B002148F8B90EBB8D8559AE77F6FF8D2157508429D509E7318EB389D028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06379B70 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3ea05499d5f45a7cdabfb976127f02a17c948ebc8388c4a6a4be578b9897ba
Instruction ID: d7e0f3a1379032012c57159f1149ede459cbfed8f12f29b07ab8a52d70f20588
Opcode Fuzzy Hash: cf3ea05499d5f45a7cdabfb976127f02a17c948ebc8388c4a6a4be578b9897ba
Instruction Fuzzy Hash: C2117C31F002188F8B94EFB8D8559AE77F6FF882117508429D119E7354EB38AD018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 06379FA8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687dfa46d89d6aad70a83498c24409d6b880e6275087d8059cab3e99c58b039c
Instruction ID: 8b7fa59ef29cfd2b0f327e90f2ee7b38e5dcaaefa1a845d95cf6d353c42af413
Opcode Fuzzy Hash: 687dfa46d89d6aad70a83498c24409d6b880e6275087d8059cab3e99c58b039c
Instruction Fuzzy Hash: 12117931B002188F8BD0EBB8D8959AE77F2FF882117508429D109E3354EB38AD068BE1

Uniqueness

Uniqueness Score: -1.00%

Function 06377588 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f10e31ca1f794abae012c748023cf5d5dad36a04ddada9066928c5fe3e5bc86
Instruction ID: e9fba09b7c09266bc16ba7ed3473225d3b14e8f634a33827180a6ae79883c1bc
Opcode Fuzzy Hash: 5f10e31ca1f794abae012c748023cf5d5dad36a04ddada9066928c5fe3e5bc86
Instruction Fuzzy Hash: CB117C31B002198F8BD0EF78D8569AE77F2FF892157508429D109E3314EB38AD068BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0637BB70 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b03e6d6bbef8a8c8cc499c4884d93a7139713d8b2225927c318e4656af1cb6b
Instruction ID: 932ee1b410abb42fca9c7d6087dcc4927c338a112ec3f8714ab85a3ad3f94e78
Opcode Fuzzy Hash: 8b03e6d6bbef8a8c8cc499c4884d93a7139713d8b2225927c318e4656af1cb6b
Instruction Fuzzy Hash: 27F03775F002289F8F90EBB958146DF7AF9DF88260F140575D519E3754EE389D018BD2

Uniqueness

Uniqueness Score: -1.00%

Function 06374DD9 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eadf510866f00cfb49141cdcc4ef7977c5bab575347347311664be79a0810a8
Instruction ID: a1d198ebf3ffdf03c9e30143c53eed06a2acb421ba5dc560e2b49f6d40690fcd
Opcode Fuzzy Hash: 4eadf510866f00cfb49141cdcc4ef7977c5bab575347347311664be79a0810a8
Instruction Fuzzy Hash: 3BE0E5B2E002199F8B90DABCAC092EE7BFCDB88161B400136E919E3300EA758A0587D1

Uniqueness

Uniqueness Score: -1.00%

Function 06375AB9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97106c56b43892b8a1febfd79d429debd824a0fece6139d272c7f237f7742eb7
Instruction ID: 2144998192980cbac80f479c47ddd4a5aaeabf7bb42df8d38cd2a31859dc5572
Opcode Fuzzy Hash: 97106c56b43892b8a1febfd79d429debd824a0fece6139d272c7f237f7742eb7
Instruction Fuzzy Hash: C2E0C035B141188B8B54EBB8D4498DDB7F2FBC82267004069E54AE3754DE349D058B91

Uniqueness

Uniqueness Score: -1.00%

Function 06379EE7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a277afc5438b5853ca35646be408de0097e6104dcfac0c9f4f0c9e1e9c53c16
Instruction ID: 9effe928bb32e05ab4f326b99433015acc990d1761ce3840730fe9c0ea84cfee
Opcode Fuzzy Hash: 4a277afc5438b5853ca35646be408de0097e6104dcfac0c9f4f0c9e1e9c53c16
Instruction Fuzzy Hash: E6E0ED35F005189B8F94EBB8D8958DD73F2AFCD116B004066E519E7354EE289D0287E1

Uniqueness

Uniqueness Score: -1.00%

Function 06376EEF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c592ea02fedf46bd46da96986a2b212e2df841123f653464b3f866f395290f
Instruction ID: 541cd560f97092913816173064470d991820f56322eeb9701a87643941e7cdd3
Opcode Fuzzy Hash: a2c592ea02fedf46bd46da96986a2b212e2df841123f653464b3f866f395290f
Instruction Fuzzy Hash: 1FE0E535F005144B8F94F7B8D8558DD73F1BFC91167004066D555E7354DE285D0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 0637A727 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043867d46510062910e8f52f89e070c5b3775b388a059caa62edaddc6e18557d
Instruction ID: b33fdac48b58521f053681040189032869a085e5992488318c44ca9395f78513
Opcode Fuzzy Hash: 043867d46510062910e8f52f89e070c5b3775b388a059caa62edaddc6e18557d
Instruction Fuzzy Hash: EBE0E536F001144B9F94E7B8D4558DD73F1AFC81167004066D515E7354EE285D0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 06379BCF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088f2a9ce30f1369e52de033414c07bc8a4192bce22d0f52bf860c63aef5a2d7
Instruction ID: 32c88951ac98a3df2aac7ff2c749ba066718e124196d688167faf63c5ebf5499
Opcode Fuzzy Hash: 088f2a9ce30f1369e52de033414c07bc8a4192bce22d0f52bf860c63aef5a2d7
Instruction Fuzzy Hash: 8AE0ED36F001188B8F94FBB8D8958DD73F1BFC81267044466D559E7364EE289D0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 0637A007 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f9492f7665839d744eb7746c7b4d8c7013541fc356657002952f4e902a4d37
Instruction ID: 9827e36c9d13daa3a5b6caee17af844a92f5a24992db19463c8e77598afa1b13
Opcode Fuzzy Hash: 36f9492f7665839d744eb7746c7b4d8c7013541fc356657002952f4e902a4d37
Instruction Fuzzy Hash: F7E0ED35F001189B8F94EBB8D8958DD73F2AFC82167004066D519E7354EE289D0287E1

Uniqueness

Uniqueness Score: -1.00%

Function 063775E7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8846723d253790cdff1f1aedc59879f2fbd327600a9db24250e10d836442cd6
Instruction ID: 5edf362898686a8b13348885bdf831519cf0851abb08b43741239523cc1d61ec
Opcode Fuzzy Hash: f8846723d253790cdff1f1aedc59879f2fbd327600a9db24250e10d836442cd6
Instruction Fuzzy Hash: 0AE0ED35F001188B8FD4EBB8D8958DD73F2AFC91267004066E519E7354EE289D0287E1

Uniqueness

Uniqueness Score: -1.00%

Function 06374DE8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96cd1016b656a0bcff242d8f42f46b26310d6e72ca65cf4b1c66df36bb9606f
Instruction ID: 620ed2533548edb06e26a98b13a12ecaac63a2923608ea71a1e36e1f3b555212
Opcode Fuzzy Hash: c96cd1016b656a0bcff242d8f42f46b26310d6e72ca65cf4b1c66df36bb9606f
Instruction Fuzzy Hash: 19E01271E041199F4B50DBBDA8055AE7FF8EA8C261B104576E509E3204EA758A058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 06376DCF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c5b27a0ff90edcfda2d75247412c6b77fb0f58088c7b47a64b0a323661f0a3
Instruction ID: c087a9eefbf95dc9fd71a660efc6f79960af651a049a89cb1ec0cebd4486cc4e
Opcode Fuzzy Hash: 71c5b27a0ff90edcfda2d75247412c6b77fb0f58088c7b47a64b0a323661f0a3
Instruction Fuzzy Hash: B2E06D35F005188F8F90EBB8E8958DDB3F2AFC81167008066D50AE7354EE389C018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0637A470 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8feffca62cd2157d7cfec3e1244c966800fcf398f69545aa0e4d308ba71394d
Instruction ID: e8cc9f6587deb83321531391ea4b63d787a618e8c049021bb99222f85834d81c
Opcode Fuzzy Hash: f8feffca62cd2157d7cfec3e1244c966800fcf398f69545aa0e4d308ba71394d
Instruction Fuzzy Hash: 85E0C27295C3484FDB216660F88932A3B96C782209F15083DD046C5351E91FC8449382

Uniqueness

Uniqueness Score: -1.00%

Function 0637A480 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.682079733.0000000006370000.00000040.00000800.00020000.00000000.sdmp, Offset: 06370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6370000_offer_doc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9e5bd43d2f487278a189e65a3741256f6c5fc2b22e58714d626964e4710198
Instruction ID: b4b3ed92d4ad507480599fa7299b41afde7f82b1c65e9f6477f5c3aa66785aa7
Opcode Fuzzy Hash: 8f9e5bd43d2f487278a189e65a3741256f6c5fc2b22e58714d626964e4710198
Instruction Fuzzy Hash: BAD01231A282148BDB756A74F44D36D339AD746315F600C39E40ACA340EE2BD894E7C1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report offer_doc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\offer_doc.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Windows Analysis Report
offer_doc.exe

Function 00BFC1D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123
threadCOMMON

Function 00BFC1E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Function 066AB210 Relevance: 1.7, APIs: 1, Instructions: 185
libraryCOMMON

Function 066F4190 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 347
COMMON

Function 066F64CD Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Function 066A6A08 Relevance: 1.6, APIs: 1, Instructions: 117
registryCOMMON

Function 066A6752 Relevance: 1.6, APIs: 1, Instructions: 116
registryCOMMON

Function 066F64D8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 066F3C24 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 0140C8E4 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre