Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YY3k9rjxpY.exe

Overview

General Information

Sample name:YY3k9rjxpY.exe
renamed because original name is a hash value
Original sample name:e2aad65f21f0274456ebdc45549a3a93f531a769e3b6e69e6d66ab3c2388e2a4.exe
Analysis ID:1588889
MD5:3241d74f43e1bcd2fd46948b6d610cf1
SHA1:89e3326150b58ad23091a159fe8292bcf7c629a5
SHA256:e2aad65f21f0274456ebdc45549a3a93f531a769e3b6e69e6d66ab3c2388e2a4
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • YY3k9rjxpY.exe (PID: 5560 cmdline: "C:\Users\user\Desktop\YY3k9rjxpY.exe" MD5: 3241D74F43E1BCD2FD46948B6D610CF1)
    • RegAsm.exe (PID: 2136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}
SourceRuleDescriptionAuthorStrings
00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 12 entries
            SourceRuleDescriptionAuthorStrings
            2.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  2.2.RegAsm.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x315d3:$s2: GetPrivateProfileString
                  • 0x30ca1:$s3: get_OSFullName
                  • 0x322d3:$s5: remove_Key
                  • 0x324aa:$s5: remove_Key
                  • 0x333db:$s6: FtpWebRequest
                  • 0x34423:$s7: logins
                  • 0x34995:$s7: logins
                  • 0x376a6:$s7: logins
                  • 0x37758:$s7: logins
                  • 0x390ad:$s7: logins
                  • 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
                  Click to see the 32 entries
                  No Sigma rule has matched
                  No Suricata rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: YY3k9rjxpY.exeAvira: detected
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}
                  Source: YY3k9rjxpY.exeVirustotal: Detection: 70%Perma Link
                  Source: YY3k9rjxpY.exeReversingLabs: Detection: 65%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: YY3k9rjxpY.exeJoe Sandbox ML: detected
                  Source: YY3k9rjxpY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

                  Networking

                  barindex
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67faec.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YY3k9rjxpY.exe.29f0000.0.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt0
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0S
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0
                  Source: RegAsm.exe, 00000002.00000002.4529927885.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: YY3k9rjxpY.exe, 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://ocsp.digicert.com0
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://ocsp.digicert.com0A
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://ocsp.digicert.com0I
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RegAsm.exe, 00000002.00000002.4529927885.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: YY3k9rjxpY.exeString found in binary or memory: http://www.digicert.com/CPS0
                  Source: YY3k9rjxpY.exe, 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  System Summary

                  barindex
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67faec.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67faec.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67faec.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67faec.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.YY3k9rjxpY.exe.29f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.YY3k9rjxpY.exe.29f0000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_20952AD8 NtQueryInformationProcess,0_2_20952AD8
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_2095290B NtAllocateVirtualMemory,NtProtectVirtualMemory,ChrCmpIA,NtProtectVirtualMemory,0_2_2095290B
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02192BF8 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,0_2_02192BF8
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02192B3E NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,0_2_02192B3E
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02192B6E NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,0_2_02192B6E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044600F NtProtectVirtualMemory,2_2_0044600F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044601E NtAllocateVirtualMemory,2_2_0044601E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004430BA NtDelayExecution,2_2_004430BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00443567 NtCreateThreadEx,NtClose,2_2_00443567
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445F41 NtProtectVirtualMemory,2_2_00445F41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004457B0 NtAllocateVirtualMemory,2_2_004457B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044314D NtDelayExecution,2_2_0044314D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044390A NtCreateThreadEx,NtClose,2_2_0044390A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00443A12 NtClose,2_2_00443A12
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C1A6202_2_02C1A620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C14A802_2_02C14A80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C1D9782_2_02C1D978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C19E602_2_02C19E60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C13E682_2_02C13E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C141B02_2_02C141B0
                  Source: YY3k9rjxpY.exeStatic PE information: invalid certificate
                  Source: YY3k9rjxpY.exe, 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs YY3k9rjxpY.exe
                  Source: YY3k9rjxpY.exe, 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs YY3k9rjxpY.exe
                  Source: YY3k9rjxpY.exe, 00000000.00000000.2059442794.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameacvm7qw909e.exe vs YY3k9rjxpY.exe
                  Source: YY3k9rjxpY.exe, 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs YY3k9rjxpY.exe
                  Source: YY3k9rjxpY.exe, 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs YY3k9rjxpY.exe
                  Source: YY3k9rjxpY.exe, 00000000.00000002.2161509689.0000000002A2E000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs YY3k9rjxpY.exe
                  Source: YY3k9rjxpY.exeBinary or memory string: OriginalFilenameacvm7qw909e.exe8_ vs YY3k9rjxpY.exe
                  Source: YY3k9rjxpY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.YY3k9rjxpY.exe.67faec.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.YY3k9rjxpY.exe.67faec.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.YY3k9rjxpY.exe.67faec.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.YY3k9rjxpY.exe.67faec.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.YY3k9rjxpY.exe.67fae8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.YY3k9rjxpY.exe.29f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.YY3k9rjxpY.exe.29f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                  Source: YY3k9rjxpY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegAsm.exe, 00000002.00000002.4529927885.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D50000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: YY3k9rjxpY.exeVirustotal: Detection: 70%
                  Source: YY3k9rjxpY.exeReversingLabs: Detection: 65%
                  Source: unknownProcess created: C:\Users\user\Desktop\YY3k9rjxpY.exe "C:\Users\user\Desktop\YY3k9rjxpY.exe"
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: msvbvm60.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: vb6zz.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: vb6de.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: vb6de.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: YY3k9rjxpY.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: YY3k9rjxpY.exeStatic file information: File size 2563896 > 1048576
                  Source: YY3k9rjxpY.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x267000
                  Source: YY3k9rjxpY.exeStatic PE information: real checksum: 0x275573 should be: 0x281938
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_0062C17D pushad ; ret 0_2_0062C365
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_0062B6ED pushad ; ret 0_2_0062B721
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02191A0C push esi; iretd 0_2_02191A0D
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02195ABA push es; ret 0_2_02195ABB
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02195B0C push FFFFFFDBh; ret 0_2_02195B0E
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02190CB2 push ss; ret 0_2_02190D2D
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02195D08 push ecx; ret 0_2_02195D15
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02190D0A push ss; ret 0_2_02190D2D
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_0219599E pushfd ; retf 0_2_021959A5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004448FB push FFFFFFDBh; ret 2_2_004448FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004448A9 push es; ret 2_2_004448AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445641 push eax; iretd 2_2_00445642
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445622 pushad ; ret 2_2_0044563D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00444AF7 push ecx; ret 2_2_00444B04
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044478D pushfd ; retf 2_2_00444794
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: YY3k9rjxpY.exe, 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2A20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2387Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7606Jump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeAPI coverage: 3.5 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6004Thread sleep count: 2387 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6004Thread sleep time: -2387000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6004Thread sleep count: 7606 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6004Thread sleep time: -7606000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                  Source: RegAsm.exe, 00000002.00000002.4529927885.0000000002C85000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: RegAsm.exe, 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: vmware
                  Source: RegAsm.exe, 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                  Source: RegAsm.exe, 00000002.00000002.4531677612.0000000006001000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C17068 CheckRemoteDebuggerPresent,2_2_02C17068
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_20952EC1 mov eax, dword ptr fs:[00000030h]0_2_20952EC1
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_20952BD8 mov eax, dword ptr fs:[00000030h]0_2_20952BD8
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_20952BC3 mov eax, dword ptr fs:[00000030h]0_2_20952BC3
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_20952BEC mov eax, dword ptr fs:[00000030h]0_2_20952BEC
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_20952B66 mov eax, dword ptr fs:[00000030h]0_2_20952B66
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02192BF8 mov eax, dword ptr fs:[00000030h]0_2_02192BF8
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02196A86 mov eax, dword ptr fs:[00000030h]0_2_02196A86
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02196AA2 mov eax, dword ptr fs:[00000030h]0_2_02196AA2
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02196BBE mov eax, dword ptr fs:[00000030h]0_2_02196BBE
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_021973D2 mov ecx, dword ptr fs:[00000030h]0_2_021973D2
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02196BFA mov eax, dword ptr fs:[00000030h]0_2_02196BFA
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_02196881 mov eax, dword ptr fs:[00000030h]0_2_02196881
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeCode function: 0_2_021931C9 mov eax, dword ptr fs:[00000030h]0_2_021931C9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004457B0 mov ecx, dword ptr fs:[00000030h]2_2_004457B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445C48 mov eax, dword ptr fs:[00000030h]2_2_00445C48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445875 mov eax, dword ptr fs:[00000030h]2_2_00445875
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445891 mov eax, dword ptr fs:[00000030h]2_2_00445891
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445D28 mov eax, dword ptr fs:[00000030h]2_2_00445D28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004461C1 mov ecx, dword ptr fs:[00000030h]2_2_004461C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004459E9 mov eax, dword ptr fs:[00000030h]2_2_004459E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004459AD mov eax, dword ptr fs:[00000030h]2_2_004459AD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445670 mov eax, dword ptr fs:[00000030h]2_2_00445670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445622 mov eax, dword ptr fs:[00000030h]2_2_00445622
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445A92 mov ecx, dword ptr fs:[00000030h]2_2_00445A92
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0044574F mov eax, dword ptr fs:[00000030h]2_2_0044574F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00445B30 mov eax, dword ptr fs:[00000030h]2_2_00445B30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004457D4 mov eax, dword ptr fs:[00000030h]2_2_004457D4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 846008Jump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\YY3k9rjxpY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67faec.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67faec.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YY3k9rjxpY.exe.29f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: YY3k9rjxpY.exe PID: 5560, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67faec.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67faec.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YY3k9rjxpY.exe.29f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4529927885.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: YY3k9rjxpY.exe PID: 5560, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67faec.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67faec.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.YY3k9rjxpY.exe.67fae8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YY3k9rjxpY.exe.29f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: YY3k9rjxpY.exe PID: 5560, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2136, type: MEMORYSTR
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                  Windows Management Instrumentation
                  1
                  DLL Side-Loading
                  211
                  Process Injection
                  1
                  Masquerading
                  1
                  OS Credential Dumping
                  531
                  Security Software Discovery
                  Remote Services1
                  Email Collection
                  1
                  Encrypted Channel
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading
                  25
                  Virtualization/Sandbox Evasion
                  LSASS Memory25
                  Virtualization/Sandbox Evasion
                  Remote Desktop Protocol1
                  Archive Collected Data
                  1
                  Ingress Tool Transfer
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Disable or Modify Tools
                  Security Account Manager1
                  Process Discovery
                  SMB/Windows Admin Shares1
                  Data from Local System
                  2
                  Non-Application Layer Protocol
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
                  Process Injection
                  NTDS1
                  Application Window Discovery
                  Distributed Component Object ModelInput Capture2
                  Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information
                  LSA Secrets1
                  System Network Configuration Discovery
                  SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading
                  Cached Domain Credentials1
                  File and Directory Discovery
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync34
                  System Information Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  YY3k9rjxpY.exe70%VirustotalBrowse
                  YY3k9rjxpY.exe66%ReversingLabsWin32.Trojan.MintZard
                  YY3k9rjxpY.exe100%AviraHEUR/AGEN.1364085
                  YY3k9rjxpY.exe100%Joe Sandbox ML
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  208.95.112.1
                  truefalse
                    high
                    NameMaliciousAntivirus DetectionReputation
                    http://ip-api.com/line/?fields=hostingfalse
                      high
                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/YY3k9rjxpY.exe, 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, YY3k9rjxpY.exe, 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                        high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.4529927885.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D18000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://ip-api.comRegAsm.exe, 00000002.00000002.4529927885.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4529927885.0000000002D18000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            208.95.112.1
                            ip-api.comUnited States
                            53334TUT-ASUSfalse
                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1588889
                            Start date and time:2025-01-11 06:44:47 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 7m 21s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:YY3k9rjxpY.exe
                            renamed because original name is a hash value
                            Original Sample Name:e2aad65f21f0274456ebdc45549a3a93f531a769e3b6e69e6d66ab3c2388e2a4.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 71%
                            • Number of executed functions: 15
                            • Number of non-executed functions: 16
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240000 for current running targets taking high CPU consumption
                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 20.109.210.53
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                            TimeTypeDescription
                            00:46:22API Interceptor1683076x Sleep call for process: RegAsm.exe modified
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            208.95.112.14LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            toIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            LfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.com4LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            toIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            LfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TUT-ASUS4LbgdNQgna.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            toIuQILmr1.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            LfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            No context
                            No context
                            Process:C:\Users\user\Desktop\YY3k9rjxpY.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):47
                            Entropy (8bit):1.168829563685559
                            Encrypted:false
                            SSDEEP:3:/lSll2DQi:AoMi
                            MD5:DAB633BEBCCE13575989DCFA4E2203D6
                            SHA1:33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
                            SHA-256:1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
                            SHA-512:EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:........................................user.
                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.299336559807513
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.94%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • VXD Driver (31/22) 0.00%
                            File name:YY3k9rjxpY.exe
                            File size:2'563'896 bytes
                            MD5:3241d74f43e1bcd2fd46948b6d610cf1
                            SHA1:89e3326150b58ad23091a159fe8292bcf7c629a5
                            SHA256:e2aad65f21f0274456ebdc45549a3a93f531a769e3b6e69e6d66ab3c2388e2a4
                            SHA512:df886300926881264021427926cdfcf5841ae9ebc641bf9d4ed38eab2f5d6d5240375f7341ced6754585ea721c3e3888d9f67fccde5e4d2e75c23a6f6b2e489e
                            SSDEEP:49152:23ASbdYAm4zEbdYAm4zWbdYAm4z23Ag3AWbdYAm4zSbdYAm4zO3A+jjtb:kA4drWdr0drkASA0dr4dr8AU9
                            TLSH:E1C5D00322208FAFED4ADF3673BA80E443153C5A07155A42329F7720EB779BE5D2995B
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg.................p&..@......8.#.......&.... ..........................'.....sU'....................................
                            Icon Hash:a3a3939a92b3929a
                            Entrypoint:0x20b8fc38
                            Entrypoint Section:.text
                            Digitally signed:true
                            Imagebase:0x20950000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            DLL Characteristics:
                            Time Stamp:0x67631B0B [Wed Dec 18 18:57:15 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:42a4e0f64241075ea237a4cf00d0db9f
                            Signature Valid:false
                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, O="DigiCert, Inc.", C=US
                            Signature Validation Error:The digital signature of the object did not verify
                            Error Number:-2146869232
                            Not Before, Not After
                            • 10/10/2024 02:00:00 14/01/2025 00:59:59
                            Subject Chain
                            • CN="Zoom Video Communications, Inc.", O="Zoom Video Communications, Inc.", L=San Jose, S=California, C=US, SERIALNUMBER=4969967, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
                            Version:3
                            Thumbprint MD5:3BFD5BD0505CB09AF226629D814E6F82
                            Thumbprint SHA-1:4575AD5E669CEC3E9700722747A1A951343455BB
                            Thumbprint SHA-256:362198181246D767449C1DF97F7383B97D379FA8B8D5F783A2FF5B7817D1302C
                            Serial:04B5EF73BFB2512BA8940122313D3820
                            Instruction
                            jmp 00007F9A08CA462Ch
                            add byte ptr [edi-23h], cl
                            salc
                            and al, cl
                            and eax, 34E51302h
                            int3
                            pop ds
                            call far 270Ch : B99DD0BFh
                            xchg eax, esp
                            cmp bh, byte ptr [eax]
                            mov ecx, 696F7B03h
                            pop ss
                            jl 00007F9A08EE1018h
                            arpl word ptr [ebx+21h], di
                            movsd
                            push ebx
                            test byte ptr [ecx-59h], dh
                            lodsd
                            sbb eax, 6AF3E53Ch
                            mov bl, BAh
                            iretd
                            pop ss
                            clc
                            mov di, C6F9h
                            jmp 00007F9A08EE1041h
                            mov ebp, eax
                            push ebx
                            xor cl, FFFFFF87h
                            in eax, 6Ah
                            sub dl, byte ptr [ebp+70h]
                            adc al, 62h
                            loopne 00007F9A08EE0F6Ah
                            imul esp, dword ptr [A292C0C8h], FDh
                            cmc
                            push ds
                            in eax, dx
                            or eax, dword ptr [esi+edx*2+78904840h]
                            xor eax, 0EF83D27h
                            push FFFFFFF9h
                            mov eax, 52B068EEh
                            push ds
                            dec esi
                            adc al, 54h
                            dec ebx
                            pop ecx
                            fstp tbyte ptr [edi-3Ch]
                            sbb al, 01h
                            or dword ptr [eax+eax*8+408FDA03h], edi
                            and al, CEh
                            imul byte ptr [ecx+ebp*4+1D6454FAh]
                            loop 00007F9A08EE0FCBh
                            bound ecx, dword ptr [edi-2F8FDC43h]
                            mov edx, 38B86FC9h
                            dec esi
                            xchg eax, ecx
                            pop edi
                            adc byte ptr [esi], al
                            pushfd
                            arpl bx, cx
                            sub edx, esp
                            push ecx
                            hlt
                            adc eax, D3F2420Bh
                            push D38FBF9Fh
                            out dx, eax
                            enter 1B3Eh, 21h
                            mov ebp, edx
                            aas
                            retn 8CD9h
                            mov bh, 46h
                            sbb eax, 8F49A924h
                            and byte ptr [ebx], dh
                            lds eax, fword ptr [edx-6AA457FCh]
                            cdq
                            int3
                            lea eax, dword ptr [edx]
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x266c240x3c.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x26d0000x2894.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x26c0000x5f38
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x180.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x26634c0x2670001fe90a8547cb5e4aef059bc73cead67cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0x2680000x4bac0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x26d0000x28940x30001065b1ea6a7934e052b2225c321a0d5eFalse0.1953125data4.244732178548337IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x26d0e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.21047717842323652
                            RT_GROUP_ICON0x26f6900x14data1.15
                            RT_VERSION0x26f6a40x1f0MS Windows COFF PowerPC object fileGermanGermany0.49798387096774194
                            DLLImport
                            KERNEL32.DLLGetProcAddress, GetModuleHandleW
                            MSVBVM60.DLL__vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaBoolErrVar, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaVar2Vec, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr
                            Language of compilation systemCountry where language is spokenMap
                            GermanGermany
                            TimestampSource PortDest PortSource IPDest IP
                            Jan 11, 2025 06:45:50.519234896 CET4970580192.168.2.5208.95.112.1
                            Jan 11, 2025 06:45:50.524405003 CET8049705208.95.112.1192.168.2.5
                            Jan 11, 2025 06:45:50.524540901 CET4970580192.168.2.5208.95.112.1
                            Jan 11, 2025 06:45:50.525810003 CET4970580192.168.2.5208.95.112.1
                            Jan 11, 2025 06:45:50.530603886 CET8049705208.95.112.1192.168.2.5
                            Jan 11, 2025 06:45:50.999284983 CET8049705208.95.112.1192.168.2.5
                            Jan 11, 2025 06:45:51.052911997 CET4970580192.168.2.5208.95.112.1
                            Jan 11, 2025 06:46:45.565512896 CET8049705208.95.112.1192.168.2.5
                            Jan 11, 2025 06:46:45.565668106 CET4970580192.168.2.5208.95.112.1
                            Jan 11, 2025 06:47:31.011060953 CET4970580192.168.2.5208.95.112.1
                            Jan 11, 2025 06:47:31.173950911 CET8049705208.95.112.1192.168.2.5
                            TimestampSource PortDest PortSource IPDest IP
                            Jan 11, 2025 06:45:50.505875111 CET6263353192.168.2.51.1.1.1
                            Jan 11, 2025 06:45:50.513423920 CET53626331.1.1.1192.168.2.5
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jan 11, 2025 06:45:50.505875111 CET192.168.2.51.1.1.10x2019Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jan 11, 2025 06:45:50.513423920 CET1.1.1.1192.168.2.50x2019No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                            • ip-api.com
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549705208.95.112.1802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            TimestampBytes transferredDirectionData
                            Jan 11, 2025 06:45:50.525810003 CET80OUTGET /line/?fields=hosting HTTP/1.1
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Jan 11, 2025 06:45:50.999284983 CET175INHTTP/1.1 200 OK
                            Date: Sat, 11 Jan 2025 05:45:50 GMT
                            Content-Type: text/plain; charset=utf-8
                            Content-Length: 6
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 66 61 6c 73 65 0a
                            Data Ascii: false


                            Click to jump to process

                            Click to jump to process

                            Click to dive into process behavior distribution

                            Click to jump to process

                            Target ID:0
                            Start time:00:45:39
                            Start date:11/01/2025
                            Path:C:\Users\user\Desktop\YY3k9rjxpY.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\YY3k9rjxpY.exe"
                            Imagebase:0x20950000
                            File size:2'563'896 bytes
                            MD5 hash:3241D74F43E1BCD2FD46948B6D610CF1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2119489603.000000000065F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2159557727.000000000067F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2159771368.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2161509689.00000000029F2000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.2159849031.000000000067F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Target ID:2
                            Start time:00:45:49
                            Start date:11/01/2025
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                            Imagebase:0x760000
                            File size:65'440 bytes
                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4529927885.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4527761643.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            Reputation:high
                            Has exited:false

                            Reset < >

                              Execution Graph

                              Execution Coverage:7.6%
                              Dynamic/Decrypted Code Coverage:50.6%
                              Signature Coverage:44.7%
                              Total number of Nodes:170
                              Total number of Limit Nodes:8
                              execution_graph 1419 2192bf8 1420 2192c09 1419->1420 1438 21931c9 GetPEB 1420->1438 1422 2192c35 1423 21930bd 1422->1423 1424 21931c9 GetPEB 1422->1424 1425 2192c51 1424->1425 1425->1423 1426 2192dbf NtCreateSection 1425->1426 1426->1423 1427 2192df6 NtMapViewOfSection 1426->1427 1427->1423 1428 2192e1e 1427->1428 1429 2192ebc CreateProcessW 1428->1429 1430 2192f81 GetPEB 1428->1430 1429->1423 1432 2192fc7 NtGetContextThread 1429->1432 1430->1429 1432->1429 1433 2192fe8 NtReadVirtualMemory 1432->1433 1433->1429 1434 219300e NtWriteVirtualMemory 1433->1434 1434->1429 1435 2193034 NtUnmapViewOfSection NtMapViewOfSection 1434->1435 1435->1429 1436 2193068 NtSetContextThread 1435->1436 1436->1429 1437 2193099 NtResumeThread 1436->1437 1437->1423 1437->1429 1439 21931de 1438->1439 1439->1422 1486 2194778 1487 2194ba3 1486->1487 1492 2196881 GetPEB 1487->1492 1493 2196937 1492->1493 1493->1493 1466 2192b3e 1467 2192b42 1466->1467 1468 2192c35 1467->1468 1471 2192ba8 1467->1471 1472 21931c9 GetPEB 1467->1472 1469 21930bd 1468->1469 1470 21931c9 GetPEB 1468->1470 1473 2192c51 1470->1473 1472->1468 1473->1469 1474 2192dbf NtCreateSection 1473->1474 1474->1469 1475 2192df6 NtMapViewOfSection 1474->1475 1475->1469 1476 2192e1e 1475->1476 1477 2192f81 GetPEB 1476->1477 1480 2192ebc CreateProcessW 1476->1480 1477->1480 1479 2192fc7 NtGetContextThread 1479->1480 1481 2192fe8 NtReadVirtualMemory 1479->1481 1480->1469 1480->1479 1481->1480 1482 219300e NtWriteVirtualMemory 1481->1482 1482->1480 1483 2193034 NtUnmapViewOfSection NtMapViewOfSection 1482->1483 1483->1480 1484 2193068 NtSetContextThread 1483->1484 1484->1480 1485 2193099 NtResumeThread 1484->1485 1485->1469 1485->1480 1456 20952c3c 1459 20952c52 1456->1459 1457 20952c83 1459->1457 1460 20952dc0 1459->1460 1461 20952dd0 1460->1461 1463 20952ded 1460->1463 1462 20952ec1 GetPEB 1461->1462 1461->1463 1462->1463 1463->1459 1515 21973d2 GetPEB 1516 21975b1 1515->1516 1517 2095c7d9 1518 20bafc00 19 API calls 1517->1518 1523 20bb5b00 __vbaVarDup #653 __vbaI4Var __vbaFreeVar 1518->1523 1521 20bafd22 __vbaStrMove __vbaFreeStrList __vbaFreeVar 1522 20bafdb0 1521->1522 1524 20bb5b80 1523->1524 1525 20bb5b88 #632 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeVarList 1524->1525 1526 20bb5bf1 __vbaFreeVar 1524->1526 1525->1524 1526->1521 1440 20952ad8 1441 20952ae1 1440->1441 1442 20952b0e NtQueryInformationProcess 1440->1442 1441->1442 1443 20952ae7 1441->1443 1442->1443 1536 2095c7e6 1537 20bafde0 __vbaVarVargNofree __vbaVarCopy __vbaVarTstEq 1536->1537 1539 20baff7b __vbaVarTstEq 1537->1539 1540 20bafed8 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat 1537->1540 1542 20bafff3 __vbaVarTstEq 1539->1542 1543 20baffa0 1539->1543 1541 20bb1a90 1540->1541 1546 20baff47 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1541->1546 1544 20bb001c 9 API calls 1542->1544 1545 20bb00e5 __vbaVarTstEq 1542->1545 1547 20baffde __vbaVargVarMove 1543->1547 1548 20bb1a90 1544->1548 1549 20bb01fa 1545->1549 1550 20bb010e 13 API calls 1545->1550 1551 20bb020c __vbaVarVargNofree __vbaVarCopy __vbaVarTstEq 1546->1551 1547->1549 1552 20bb00a9 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1548->1552 1549->1551 1553 20bb1a90 1550->1553 1554 20bb0260 __vbaVarTstEq 1551->1554 1555 20bb0256 1551->1555 1552->1551 1556 20bb01b9 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1553->1556 1557 20bb03a8 __vbaVarTstEq 1554->1557 1558 20bb0291 19 API calls 1554->1558 1565 20bb141e __vbaVargVarMove 1555->1565 1556->1551 1559 20bb059b __vbaVarTstEq 1557->1559 1560 20bb03d9 37 API calls 1557->1560 1561 20bb1a90 1558->1561 1559->1555 1564 20bb05d2 __vbaVarTstEq 1559->1564 1563 20bb1a90 1560->1563 1562 20bb035d __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1561->1562 1566 20bb1429 __vbaFreeVarList 1562->1566 1567 20bb052c __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1563->1567 1568 20bb071a __vbaVarTstEq 1564->1568 1569 20bb0603 19 API calls 1564->1569 1565->1566 1567->1566 1571 20bb074b 7 API calls 1568->1571 1572 20bb07f0 __vbaVarTstEq 1568->1572 1570 20bb1a90 1569->1570 1575 20bb06cf __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1570->1575 1576 20bb1a90 1571->1576 1572->1555 1574 20bb0827 __vbaVarTstEq 1572->1574 1574->1555 1577 20bb085e __vbaVarTstEq 1574->1577 1575->1566 1578 20bb07bd __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1576->1578 1577->1555 1579 20bb0895 __vbaVarTstEq 1577->1579 1578->1566 1580 20bb09dd __vbaVarTstEq 1579->1580 1581 20bb08c6 19 API calls 1579->1581 1583 20bb0b38 __vbaVarTstEq 1580->1583 1584 20bb0a0e 21 API calls 1580->1584 1582 20bb1a90 1581->1582 1585 20bb0992 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1582->1585 1587 20bb0b69 43 API calls 1583->1587 1588 20bb0d64 __vbaVarTstEq 1583->1588 1586 20bb1a90 1584->1586 1585->1566 1591 20bb0ae9 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1586->1591 1592 20bb1a90 1587->1592 1589 20bb0f7d __vbaVarTstEq 1588->1589 1590 20bb0d95 41 API calls 1588->1590 1595 20bb11cf __vbaVarTstEq 1589->1595 1596 20bb0fae 47 API calls 1589->1596 1594 20bb1a90 1590->1594 1591->1566 1593 20bb0ce9 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1592->1593 1593->1566 1597 20bb0f06 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1594->1597 1599 20bb12cb __vbaVarTstEq 1595->1599 1600 20bb1200 11 API calls 1595->1600 1598 20bb1a90 1596->1598 1597->1566 1601 20bb114c __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1598->1601 1599->1555 1603 20bb1305 __vbaVarTstEq 1599->1603 1602 20bb1a90 1600->1602 1601->1566 1605 20bb1290 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1602->1605 1603->1555 1604 20bb1334 __vbaVarTstEq 1603->1604 1604->1555 1606 20bb1363 __vbaVarTstEq 1604->1606 1605->1566 1606->1555 1607 20bb138f __vbaVarTstEq 1606->1607 1607->1555 1608 20bb13bb __vbaVarTstEq 1607->1608 1608->1555 1608->1566 1465 20953040 __vbaChkstk 1494 2192b6e 1500 2192b53 1494->1500 1495 2192ba8 1496 21931c9 GetPEB 1497 2192c35 1496->1497 1498 21930bd 1497->1498 1499 21931c9 GetPEB 1497->1499 1501 2192c51 1499->1501 1500->1494 1500->1495 1500->1496 1500->1497 1501->1498 1502 2192dbf NtCreateSection 1501->1502 1502->1498 1503 2192df6 NtMapViewOfSection 1502->1503 1503->1498 1504 2192e1e 1503->1504 1505 2192f81 GetPEB 1504->1505 1508 2192ebc CreateProcessW 1504->1508 1505->1508 1507 2192fc7 NtGetContextThread 1507->1508 1509 2192fe8 NtReadVirtualMemory 1507->1509 1508->1498 1508->1507 1509->1508 1510 219300e NtWriteVirtualMemory 1509->1510 1510->1508 1511 2193034 NtUnmapViewOfSection NtMapViewOfSection 1510->1511 1511->1508 1512 2193068 NtSetContextThread 1511->1512 1512->1508 1513 2193099 NtResumeThread 1512->1513 1513->1498 1513->1508 1530 2095c7cc 1531 20bafa20 19 API calls 1530->1531 1533 20bb5b00 10 API calls 1531->1533 1534 20bafb42 __vbaStrMove __vbaFreeStrList __vbaFreeVar 1533->1534 1535 20bafbd0 1534->1535 1444 2095290b 1445 2095292d 1444->1445 1453 20952ec1 GetPEB 1445->1453 1447 20952937 1448 2095298c NtAllocateVirtualMemory 1447->1448 1449 209529af NtProtectVirtualMemory 1447->1449 1448->1449 1450 209529aa 1448->1450 1449->1450 1452 209529da 1449->1452 1451 20952a73 NtProtectVirtualMemory 1451->1450 1452->1451 1454 20952ed3 1453->1454 1454->1447 1455 2196a86 GetPEB

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 2192b6e-2192b71 1 2192bc3-2192bc4 0->1 2 2192b73-2192b7a 0->2 3 2192c19-2192c33 call 21931c9 1->3 4 2192bc6-2192bdf 1->4 5 2192bbc-2192bc2 2->5 6 2192b7c-2192b8f 2->6 9 2192c35-2192c3e 3->9 8 2192be1 4->8 4->9 10 2192b91-2192b93 6->10 11 2192b53-2192b5e 6->11 14 2192c4b-2192c5a call 21931c9 8->14 15 2192be2-2192bed 8->15 12 21930bd-21930c3 9->12 13 2192c44-2192c49 9->13 16 2192b94-2192b99 10->16 11->0 13->14 14->12 27 2192c60-2192d4d call 219311a * 12 14->27 18 2192bef-2192c0e call 21930c6 15->18 19 2192c13-2192c14 15->19 16->16 20 2192b9b-2192ba3 16->20 18->19 19->3 25 2192bcf-2192bdf 20->25 26 2192ba5-2192ba6 20->26 25->8 25->9 26->15 29 2192ba8-2192bb9 26->29 27->12 55 2192d53-2192d56 27->55 29->5 55->12 56 2192d5c-2192d5f 55->56 56->12 57 2192d65-2192d68 56->57 57->12 58 2192d6e-2192d71 57->58 58->12 59 2192d77-2192d7a 58->59 59->12 60 2192d80-2192d83 59->60 60->12 61 2192d89-2192d8c 60->61 61->12 62 2192d92-2192d95 61->62 62->12 63 2192d9b-2192d9e 62->63 63->12 64 2192da4-2192da6 63->64 64->12 65 2192dac-2192dba 64->65 66 2192dbc 65->66 67 2192dbf-2192df0 NtCreateSection 65->67 66->67 67->12 68 2192df6-2192e18 NtMapViewOfSection 67->68 68->12 69 2192e1e-2192e54 call 21931aa 68->69 72 2192e8c-2192eb6 call 2193207 call 21931aa 69->72 73 2192e56-2192e5c 69->73 84 2192ebc-2192f33 72->84 85 2192f81-2192f8d GetPEB 72->85 74 2192e61-2192e65 73->74 76 2192e7d-2192e8a 74->76 77 2192e67-2192e7a call 21931aa 74->77 76->72 80 2192e5e 76->80 77->76 80->74 88 2192f35-2192f45 84->88 86 2192f90-2192f97 85->86 89 2192fa4-2192fc1 CreateProcessW 86->89 88->88 90 2192f47-2192f4a 88->90 89->12 91 2192fc7-2192fe2 NtGetContextThread 89->91 92 2192f58-2192f5c 90->92 93 21930a9-21930ac 91->93 94 2192fe8-2193008 NtReadVirtualMemory 91->94 97 2192f4c-2192f57 92->97 98 2192f5e 92->98 95 21930ae-21930af 93->95 96 21930b5-21930b8 93->96 94->93 99 219300e-2193032 NtWriteVirtualMemory 94->99 95->96 96->89 97->92 100 2192f6b-2192f70 98->100 99->93 101 2193034-2193066 NtUnmapViewOfSection NtMapViewOfSection 99->101 102 2192f60-2192f6a 100->102 103 2192f72-2192f7f 100->103 104 2193068-2193097 NtSetContextThread 101->104 105 21930a6 101->105 102->100 103->86 104->105 106 2193099-21930a4 NtResumeThread 104->106 105->93 106->12 106->105
                              APIs
                              • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02192DE4
                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02192E11
                              • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02192FBC
                              • NtGetContextThread.NTDLL(?,?), ref: 02192FDB
                              • NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 02193001
                              • NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 0219302B
                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 02193046
                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0219305F
                              • NtSetContextThread.NTDLL(?,00010003), ref: 02193090
                              • NtResumeThread.NTDLL(?,00000000), ref: 0219309D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
                              • String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
                              • API String ID: 1951729442-1087957892
                              • Opcode ID: a303f0539ca273dbf07fb00c4f13b5d645df190496518d14626ea9253ea22357
                              • Instruction ID: 9b56b434aee769216e89f956492386f3675ae3e236bcb76eb6347008c9adc0bd
                              • Opcode Fuzzy Hash: a303f0539ca273dbf07fb00c4f13b5d645df190496518d14626ea9253ea22357
                              • Instruction Fuzzy Hash: FBF16872D40259AFDF25CFA4CC80AEEBBB9FF04704F1440AAE525AB211D7349A85CF55

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 107 2192b3e-2192b40 108 2192b9e-2192ba3 107->108 109 2192b42-2192b44 107->109 110 2192bcf-2192bdf 108->110 111 2192ba5-2192ba6 108->111 109->108 114 2192be1 110->114 115 2192c35-2192c3e 110->115 112 2192ba8-2192bc2 111->112 113 2192be2-2192bed 111->113 120 2192bef-2192c0e call 21930c6 113->120 121 2192c13-2192c33 call 21931c9 113->121 114->113 119 2192c4b-2192c5a call 21931c9 114->119 116 21930bd-21930c3 115->116 117 2192c44-2192c49 115->117 117->119 119->116 129 2192c60-2192d4d call 219311a * 12 119->129 120->121 121->115 129->116 155 2192d53-2192d56 129->155 155->116 156 2192d5c-2192d5f 155->156 156->116 157 2192d65-2192d68 156->157 157->116 158 2192d6e-2192d71 157->158 158->116 159 2192d77-2192d7a 158->159 159->116 160 2192d80-2192d83 159->160 160->116 161 2192d89-2192d8c 160->161 161->116 162 2192d92-2192d95 161->162 162->116 163 2192d9b-2192d9e 162->163 163->116 164 2192da4-2192da6 163->164 164->116 165 2192dac-2192dba 164->165 166 2192dbc 165->166 167 2192dbf-2192df0 NtCreateSection 165->167 166->167 167->116 168 2192df6-2192e18 NtMapViewOfSection 167->168 168->116 169 2192e1e-2192e54 call 21931aa 168->169 172 2192e8c-2192eb6 call 2193207 call 21931aa 169->172 173 2192e56-2192e5c 169->173 184 2192ebc-2192f33 172->184 185 2192f81-2192f8d GetPEB 172->185 174 2192e61-2192e65 173->174 176 2192e7d-2192e8a 174->176 177 2192e67-2192e7a call 21931aa 174->177 176->172 180 2192e5e 176->180 177->176 180->174 188 2192f35-2192f45 184->188 186 2192f90-2192f97 185->186 189 2192fa4-2192fc1 CreateProcessW 186->189 188->188 190 2192f47-2192f4a 188->190 189->116 191 2192fc7-2192fe2 NtGetContextThread 189->191 192 2192f58-2192f5c 190->192 193 21930a9-21930ac 191->193 194 2192fe8-2193008 NtReadVirtualMemory 191->194 197 2192f4c-2192f57 192->197 198 2192f5e 192->198 195 21930ae-21930af 193->195 196 21930b5-21930b8 193->196 194->193 199 219300e-2193032 NtWriteVirtualMemory 194->199 195->196 196->189 197->192 200 2192f6b-2192f70 198->200 199->193 201 2193034-2193066 NtUnmapViewOfSection NtMapViewOfSection 199->201 202 2192f60-2192f6a 200->202 203 2192f72-2192f7f 200->203 204 2193068-2193097 NtSetContextThread 201->204 205 21930a6 201->205 202->200 203->186 204->205 206 2193099-21930a4 NtResumeThread 204->206 205->193 206->116 206->205
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
                              • API String ID: 0-1087957892
                              • Opcode ID: f5d5e67fbf90ad76ad5802d14a998c0c49436abd80b80109035321d483bb2859
                              • Instruction ID: d6d41a3fa032db5dedd24239b0c2c7b9855e073235936ed5a6b9f0f43cf0fe70
                              • Opcode Fuzzy Hash: f5d5e67fbf90ad76ad5802d14a998c0c49436abd80b80109035321d483bb2859
                              • Instruction Fuzzy Hash: 3FE16772D40259AFDF25DFA4CC80AEEBBB9FF08304F1844AAE524AB211D7349A45CF55

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 207 2192bf8-2192c03 208 2192c09-2192c3e call 21931c9 207->208 209 2192c04 call 21930c6 207->209 215 21930bd-21930c3 208->215 216 2192c44-2192c5a call 21931c9 208->216 209->208 216->215 220 2192c60-2192d4d call 219311a * 12 216->220 220->215 245 2192d53-2192d56 220->245 245->215 246 2192d5c-2192d5f 245->246 246->215 247 2192d65-2192d68 246->247 247->215 248 2192d6e-2192d71 247->248 248->215 249 2192d77-2192d7a 248->249 249->215 250 2192d80-2192d83 249->250 250->215 251 2192d89-2192d8c 250->251 251->215 252 2192d92-2192d95 251->252 252->215 253 2192d9b-2192d9e 252->253 253->215 254 2192da4-2192da6 253->254 254->215 255 2192dac-2192dba 254->255 256 2192dbc 255->256 257 2192dbf-2192df0 NtCreateSection 255->257 256->257 257->215 258 2192df6-2192e18 NtMapViewOfSection 257->258 258->215 259 2192e1e-2192e54 call 21931aa 258->259 262 2192e8c-2192eb6 call 2193207 call 21931aa 259->262 263 2192e56-2192e5c 259->263 274 2192ebc-2192f33 262->274 275 2192f81-2192f8d GetPEB 262->275 264 2192e61-2192e65 263->264 266 2192e7d-2192e8a 264->266 267 2192e67-2192e7a call 21931aa 264->267 266->262 270 2192e5e 266->270 267->266 270->264 278 2192f35-2192f45 274->278 276 2192f90-2192f97 275->276 279 2192fa4-2192fc1 CreateProcessW 276->279 278->278 280 2192f47-2192f4a 278->280 279->215 281 2192fc7-2192fe2 NtGetContextThread 279->281 282 2192f58-2192f5c 280->282 283 21930a9-21930ac 281->283 284 2192fe8-2193008 NtReadVirtualMemory 281->284 287 2192f4c-2192f57 282->287 288 2192f5e 282->288 285 21930ae-21930af 283->285 286 21930b5-21930b8 283->286 284->283 289 219300e-2193032 NtWriteVirtualMemory 284->289 285->286 286->279 287->282 290 2192f6b-2192f70 288->290 289->283 291 2193034-2193066 NtUnmapViewOfSection NtMapViewOfSection 289->291 292 2192f60-2192f6a 290->292 293 2192f72-2192f7f 290->293 294 2193068-2193097 NtSetContextThread 291->294 295 21930a6 291->295 292->290 293->276 294->295 296 2193099-21930a4 NtResumeThread 294->296 295->283 296->215 296->295
                              APIs
                              • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02192DE4
                              • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02192E11
                              • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02192FBC
                              • NtGetContextThread.NTDLL(?,?), ref: 02192FDB
                              • NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 02193001
                              • NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 0219302B
                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 02193046
                              • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0219305F
                              • NtSetContextThread.NTDLL(?,00010003), ref: 02193090
                              • NtResumeThread.NTDLL(?,00000000), ref: 0219309D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
                              • String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
                              • API String ID: 1951729442-1087957892
                              • Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
                              • Instruction ID: f66a4adf94c4941f1db079d463ad445f9f9cad6978015cea9c021ab32a39a05d
                              • Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
                              • Instruction Fuzzy Hash: E0E113B2D40259AFDF24DFA4CC80AEEBBB9FF04704F1440AAE524AB211D7349A85CF55

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 297 2095290b-2095298a call 20952bfe call 20952ec1 call 20952c20 call 20952e62 call 20952c20 call 20952e62 call 20952c20 call 20952e62 314 2095298c-209529a8 NtAllocateVirtualMemory 297->314 315 209529af-209529d3 NtProtectVirtualMemory 297->315 314->315 316 209529aa 314->316 317 209529d5 315->317 318 209529da-209529df 315->318 319 20952ad2-20952ad7 316->319 317->319 320 209529e2-209529e5 318->320 321 20952a73-20952acc NtProtectVirtualMemory 320->321 322 209529eb-20952a04 call 20951506 320->322 321->319 325 20952a06-20952a09 322->325 326 20952a0b-20952a16 322->326 325->326 327 20952a18-20952a1b 325->327 328 20952a6e 326->328 329 20952a33-20952a36 327->329 330 20952a1d-20952a31 327->330 328->320 331 20952a54-20952a57 329->331 332 20952a38-20952a3b 329->332 330->328 331->328 334 20952a59-20952a5c 331->334 332->331 333 20952a3d-20952a52 332->333 333->328 334->328 335 20952a5e-20952a61 334->335 335->328 336 20952a63-20952a6b 335->336 336->328
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,2095166F,?,NtQueryInformationProcess,20951689,?,NtQueryInformationProcess,20951658,NtQueryInformationProcess), ref: 209529A2
                              • NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,?,?,NtQueryInformationProcess,2095166F,?,NtQueryInformationProcess,20951689,?,NtQueryInformationProcess,20951658,NtQueryInformationProcess,209516FA), ref: 209529CD
                              • NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,?,?,?,NtQueryInformationProcess,2095166F,?,NtQueryInformationProcess,20951689,?,NtQueryInformationProcess,20951658,NtQueryInformationProcess,209516FA), ref: 20952AC9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID: MemoryVirtual$Protect$Allocate
                              • String ID: NtQueryInformationProcess
                              • API String ID: 955180148-2781105232
                              • Opcode ID: 3f72b2a0a43bf8ddc031c9c03411520e132584c1a78c4498e07355e855fc661c
                              • Instruction ID: a3bbddd13b3b6b36e1fd633884e1d28cee64810b13e409d8e11d928b803c80a2
                              • Opcode Fuzzy Hash: 3f72b2a0a43bf8ddc031c9c03411520e132584c1a78c4498e07355e855fc661c
                              • Instruction Fuzzy Hash: D351BE7080420AAFDB20DBEACD80B9EBFB6EB96310F544355E512A71E1D7786648CB61

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 337 20952ad8-20952adf 338 20952ae1-20952ae5 337->338 339 20952b0e-20952b1d NtQueryInformationProcess 337->339 338->339 340 20952ae7-20952aeb 338->340 341 20952b23-20952b24 339->341 342 20952aed-20952af8 340->342 343 20952afa 340->343 344 20952aff-20952b04 342->344 343->344 345 20952b06 344->345 346 20952b0c 344->346 345->346 346->341
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,00000022,?,?,?), ref: 20952B1D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID: "
                              • API String ID: 1778838933-123907689
                              • Opcode ID: 8170a9367cb7fd352510e3f2b82e4ae1837c3bd5e925f310beb2d0d4123279d6
                              • Instruction ID: 74e6bcaef20e94b1dc2c3a02f6ac3ee9eb2abb7f1952bef46789b17227ddd25c
                              • Opcode Fuzzy Hash: 8170a9367cb7fd352510e3f2b82e4ae1837c3bd5e925f310beb2d0d4123279d6
                              • Instruction Fuzzy Hash: 1EF0583110020AEFCF16CF96DC40A8A3FA5EB07354F008115FA124A5A0C33AC9A5EF51
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID: NtQueryInformationProcess
                              • API String ID: 0-2781105232
                              • Opcode ID: 6d01fb3913008fbb92bcf35f62f2a8c59be9449cb04b625942b7f496e7fb2522
                              • Instruction ID: 9da31ca0e9f8a6609969c7531dccbccc3cd9a10e3dd9b84fd1e6582c786c947a
                              • Opcode Fuzzy Hash: 6d01fb3913008fbb92bcf35f62f2a8c59be9449cb04b625942b7f496e7fb2522
                              • Instruction Fuzzy Hash: 72F03030724006AFDE50EFD3C881F293FE9FB17654F2054A0F807E7566DA18984D9921
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
                              • Instruction ID: 83a69809e2da56b7e50ff02e1c42bc5958f1026a8df870e51b06481fb8486f28
                              • Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
                              • Instruction Fuzzy Hash: EC01A4366001068BC720EF86E440D91BBBAFB73760BD500A6D90747E15E339ADCCDA11
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
                              • Instruction ID: 5e6da08d31e09b674be61d9456a4eebeae62774a960df743d105344be6b9422a
                              • Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
                              • Instruction Fuzzy Hash: E5F06D326905549FCF20DB59C44196AF3F9FB9467072A44A6E8B997A20C330FC40CBA0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
                              • Instruction ID: 95dff2fb833417202495218693bf5b1a421dd4471ca0001524ddc04ad995461f
                              • Opcode Fuzzy Hash: 4c43a5081fe5d2bb3cd1689569c8f68dab492a46559b42270ac0312c03ebc32d
                              • Instruction Fuzzy Hash: 46B0123F0716C44DDB13CF3442137E93B6593004C0F5404C1D0C04B66BC00C8687D556
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 403b859c92bb87a22b3b23818d0f9761360f240456280570c354f149d4e95fe8
                              • Instruction ID: 6d8b77ee072ee247f30958288c4a888cb08176c89a0772219baa462f0e89e92b
                              • Opcode Fuzzy Hash: 403b859c92bb87a22b3b23818d0f9761360f240456280570c354f149d4e95fe8
                              • Instruction Fuzzy Hash: 48B09234342640CFC205CE29C180F1473E8BB04A90F0244D0B800CB662C228ED80DA10
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
                              • Instruction ID: 75d8ee55a9432d655d400c20f764b696a43bdfdc0ccd3be24d65f6ea96f8add4
                              • Opcode Fuzzy Hash: 09929421d99742cfa4a401d3ddfe35bd1712795acecd8ac35f43a2c4d427f48e
                              • Instruction Fuzzy Hash: 0CB012241015C18EC9024F1041127A877A0D7019C0F0A00C494C04B513C11C8645A610
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79ed9a1cc756ef2124791d40dae4171c831815bdaf77dcbaa45e8c53ee3bae30
                              • Instruction ID: 90946dcc90250abbe5968caf197cd3801bd947a80a6be694a72b47644ea0c104
                              • Opcode Fuzzy Hash: 79ed9a1cc756ef2124791d40dae4171c831815bdaf77dcbaa45e8c53ee3bae30
                              • Instruction Fuzzy Hash: 3EC048B42A2940CFD689DB10C6A4EB0B332FF84608F6441BCC4460F6828B37A913CE10
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 968141b0bd7eabc590db9ac830a399edde504250bca128eca7f728cafee4a59e
                              • Instruction ID: d15b91e8a7c7bd539501cce713bb889c2f8494d561d26743bb6b26ec65eb2ff5
                              • Opcode Fuzzy Hash: 968141b0bd7eabc590db9ac830a399edde504250bca128eca7f728cafee4a59e
                              • Instruction Fuzzy Hash: E9B01230156580CFC6C9CF09C040F1033BCF700600F0211F0E0014F911C7349800C900
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e150ce8bc720c59c57d50b41214ab251688202498fd7bf698d59652aa7cfab2c
                              • Instruction ID: 551ceeea46a5410eb35d882fab2a72d313fae46ead7bcdd54283456bd698a0d5
                              • Opcode Fuzzy Hash: e150ce8bc720c59c57d50b41214ab251688202498fd7bf698d59652aa7cfab2c
                              • Instruction Fuzzy Hash: E6B0123015A580CFC286CB06C240F1033BCF704A00F4200F0F0014F921C3349900C900
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f455b2f20eb37e29d0c4b9434f170841179241eadb032b73e6c185b92cd4907
                              • Instruction ID: 42e7e5c5be92c3bf1c815c9e180ddf00d75e421e63625c4ade37b07cbb190172
                              • Opcode Fuzzy Hash: 7f455b2f20eb37e29d0c4b9434f170841179241eadb032b73e6c185b92cd4907
                              • Instruction Fuzzy Hash: C9B00135266984CFC296CB0AC594F5273B8FB04A42F8624F0E4058BAA2D339A901CE00
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b81e1fca6e0d90ae6e98eb035cfff407bd15fd328b0aa0dc18ef2f9bc6f23ef
                              • Instruction ID: d5a4209e986cc5d87646a88afd69a71e16f0812d364ef9793bbc3dfc0160db72
                              • Opcode Fuzzy Hash: 4b81e1fca6e0d90ae6e98eb035cfff407bd15fd328b0aa0dc18ef2f9bc6f23ef
                              • Instruction Fuzzy Hash: 9EB001352AA980CFD696CB1AC198F5073B8FB04A41F4615F0E4098BA62C738A940CA00
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161410934.0000000002190000.00000040.00001000.00020000.00000000.sdmp, Offset: 02190000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2190000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 711593d7846a4629122358bb7cc3b13f94133f9c1a038cfcb4aefc571a77f7f5
                              • Instruction ID: 3b3805cb34e64b8957fcacbbfd53c82bb363993c7abd4232b75cc51140550e88
                              • Opcode Fuzzy Hash: 711593d7846a4629122358bb7cc3b13f94133f9c1a038cfcb4aefc571a77f7f5
                              • Instruction Fuzzy Hash: 8EB00135266980CFD296CF0AC594F5073B9FB44B42F4614F0E4058BA62C339E910CA00

                              Control-flow Graph

                              APIs
                              • __vbaStrCat.MSVBVM60(@o@s@o@f,M@i@c@r), ref: 20BAFA8D
                              • __vbaStrMove.MSVBVM60 ref: 20BAFA9A
                              • __vbaStrCat.MSVBVM60(@t@ @E@n@h@a@n,00000000), ref: 20BAFAA2
                              • __vbaStrMove.MSVBVM60 ref: 20BAFAA9
                              • __vbaStrCat.MSVBVM60(@c@e@d@ @R@S@,00000000), ref: 20BAFAB1
                              • __vbaStrMove.MSVBVM60 ref: 20BAFAB8
                              • __vbaStrCat.MSVBVM60(A@ @a@n,00000000), ref: 20BAFAC0
                              • __vbaStrMove.MSVBVM60 ref: 20BAFAC7
                              • __vbaStrCat.MSVBVM60(@d@ @A@E@S@ ,00000000), ref: 20BAFACF
                              • __vbaStrMove.MSVBVM60 ref: 20BAFAD6
                              • __vbaStrCat.MSVBVM60(@C@r@y@,00000000), ref: 20BAFADE
                              • __vbaStrMove.MSVBVM60 ref: 20BAFAE5
                              • __vbaStrCat.MSVBVM60(p@t@o@g@r@a@,00000000), ref: 20BAFAED
                              • __vbaStrMove.MSVBVM60 ref: 20BAFAF4
                              • __vbaStrCat.MSVBVM60(p@h@i@c@ @P@r,00000000), ref: 20BAFAFC
                              • __vbaStrMove.MSVBVM60 ref: 20BAFB03
                              • __vbaStrCat.MSVBVM60(@o@v@i@d,00000000), ref: 20BAFB0B
                              • __vbaStrMove.MSVBVM60 ref: 20BAFB12
                              • __vbaStrCat.MSVBVM60(@e@r@,00000000), ref: 20BAFB1A
                                • Part of subcall function 20BB5B00: __vbaVarDup.MSVBVM60(6CD3D8B1,6CD2A323), ref: 20BB5B43
                                • Part of subcall function 20BB5B00: #653.MSVBVM60(?,?), ref: 20BB5B51
                                • Part of subcall function 20BB5B00: __vbaI4Var.MSVBVM60(?), ref: 20BB5B5B
                                • Part of subcall function 20BB5B00: __vbaFreeVar.MSVBVM60 ref: 20BB5B74
                                • Part of subcall function 20BB5B00: #632.MSVBVM60(?,?,?,?), ref: 20BB5BB0
                                • Part of subcall function 20BB5B00: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 20BB5BC2
                                • Part of subcall function 20BB5B00: __vbaStrVarMove.MSVBVM60(00000000), ref: 20BB5BC9
                                • Part of subcall function 20BB5B00: __vbaStrMove.MSVBVM60 ref: 20BB5BD4
                                • Part of subcall function 20BB5B00: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 20BB5BE4
                                • Part of subcall function 20BB5B00: __vbaFreeVar.MSVBVM60(20BB5C29), ref: 20BB5C22
                              • __vbaStrMove.MSVBVM60 ref: 20BAFB47
                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 20BAFB6F
                              • __vbaFreeVar.MSVBVM60 ref: 20BAFB7B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID: __vba$Move$Free$List$#632#653
                              • String ID: @C@r@y@$@c@e@d@ @R@S@$@d@ @A@E@S@ $@e@r@$@o@s@o@f$@o@v@i@d$@t@ @E@n@h@a@n$A@ @a@n$M@i@c@r$p@h@i@c@ @P@r$p@t@o@g@r@a@
                              • API String ID: 193477259-3817434718
                              • Opcode ID: 83ab3b08f01189321bb7fd39924a2d0fbfa6e6da1f1d1ddd3337db88da16f5b1
                              • Instruction ID: 3ccec0c8fb7f18fbb4dffef38d1b79220a2c84a6011fc53a9ec047f67419aa67
                              • Opcode Fuzzy Hash: 83ab3b08f01189321bb7fd39924a2d0fbfa6e6da1f1d1ddd3337db88da16f5b1
                              • Instruction Fuzzy Hash: B241B3B2D14218ABDB15EFE9CC84DEFBBB9FF88604F10811AE402A3254DA745905CFA1

                              Control-flow Graph

                              APIs
                              • __vbaStrCat.MSVBVM60(209607E8,209609B0), ref: 20BAFC6D
                              • __vbaStrMove.MSVBVM60 ref: 20BAFC7A
                              • __vbaStrCat.MSVBVM60(20960658,00000000), ref: 20BAFC82
                              • __vbaStrMove.MSVBVM60 ref: 20BAFC89
                              • __vbaStrCat.MSVBVM60(20960578,00000000), ref: 20BAFC91
                              • __vbaStrMove.MSVBVM60 ref: 20BAFC98
                              • __vbaStrCat.MSVBVM60(20960758,00000000), ref: 20BAFCA0
                              • __vbaStrMove.MSVBVM60 ref: 20BAFCA7
                              • __vbaStrCat.MSVBVM60(20960B5C,00000000), ref: 20BAFCAF
                              • __vbaStrMove.MSVBVM60 ref: 20BAFCB6
                              • __vbaStrCat.MSVBVM60(20960B88,00000000), ref: 20BAFCBE
                              • __vbaStrMove.MSVBVM60 ref: 20BAFCC5
                              • __vbaStrCat.MSVBVM60(20960BA4,00000000), ref: 20BAFCCD
                              • __vbaStrMove.MSVBVM60 ref: 20BAFCD4
                              • __vbaStrCat.MSVBVM60(20960BD0,00000000), ref: 20BAFCDC
                              • __vbaStrMove.MSVBVM60 ref: 20BAFCE3
                              • __vbaStrCat.MSVBVM60(20960BF4,00000000), ref: 20BAFCEB
                              • __vbaStrMove.MSVBVM60 ref: 20BAFCF2
                              • __vbaStrCat.MSVBVM60(20960C0C,00000000), ref: 20BAFCFA
                                • Part of subcall function 20BB5B00: __vbaVarDup.MSVBVM60(6CD3D8B1,6CD2A323), ref: 20BB5B43
                                • Part of subcall function 20BB5B00: #653.MSVBVM60(?,?), ref: 20BB5B51
                                • Part of subcall function 20BB5B00: __vbaI4Var.MSVBVM60(?), ref: 20BB5B5B
                                • Part of subcall function 20BB5B00: __vbaFreeVar.MSVBVM60 ref: 20BB5B74
                                • Part of subcall function 20BB5B00: #632.MSVBVM60(?,?,?,?), ref: 20BB5BB0
                                • Part of subcall function 20BB5B00: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 20BB5BC2
                                • Part of subcall function 20BB5B00: __vbaStrVarMove.MSVBVM60(00000000), ref: 20BB5BC9
                                • Part of subcall function 20BB5B00: __vbaStrMove.MSVBVM60 ref: 20BB5BD4
                                • Part of subcall function 20BB5B00: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 20BB5BE4
                                • Part of subcall function 20BB5B00: __vbaFreeVar.MSVBVM60(20BB5C29), ref: 20BB5C22
                              • __vbaStrMove.MSVBVM60 ref: 20BAFD27
                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 20BAFD4F
                              • __vbaFreeVar.MSVBVM60 ref: 20BAFD5B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID: __vba$Move$Free$List$#632#653
                              • String ID:
                              • API String ID: 193477259-0
                              • Opcode ID: 376cd77f4372bc7ff16d18d4e7f5e96882c7f9fe8cdbc4a5c9228857c90dae97
                              • Instruction ID: 8b213771228aa1e4e168c76c71f5fe4146766787852b10d3693bb298137fdd24
                              • Opcode Fuzzy Hash: 376cd77f4372bc7ff16d18d4e7f5e96882c7f9fe8cdbc4a5c9228857c90dae97
                              • Instruction Fuzzy Hash: CE41B6B2D14218ABCB15EFE9CD84DEFBBB9FF88604F10811AF412A3254DA745945CFA1

                              Control-flow Graph

                              APIs
                              • __vbaVarDup.MSVBVM60(6CD3D8B1,6CD2A323), ref: 20BB5B43
                              • #653.MSVBVM60(?,?), ref: 20BB5B51
                              • __vbaI4Var.MSVBVM60(?), ref: 20BB5B5B
                              • __vbaFreeVar.MSVBVM60 ref: 20BB5B74
                              • #632.MSVBVM60(?,?,?,?), ref: 20BB5BB0
                              • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 20BB5BC2
                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 20BB5BC9
                              • __vbaStrMove.MSVBVM60 ref: 20BB5BD4
                              • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 20BB5BE4
                              • __vbaFreeVar.MSVBVM60(20BB5C29), ref: 20BB5C22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2161698120.0000000020961000.00000020.00000001.01000000.00000003.sdmp, Offset: 20950000, based on PE: true
                              • Associated: 00000000.00000002.2161628995.0000000020950000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161649009.0000000020951000.00000020.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161670384.000000002095F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BB8000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161859212.0000000020BBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2161913583.0000000020BBD000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_20950000_YY3k9rjxpY.jbxd
                              Similarity
                              • API ID: __vba$Free$Move$#632#653List
                              • String ID:
                              • API String ID: 1043057846-0
                              • Opcode ID: 08e331390dbb85ef3ba89893bca7a2ddf665af3586e5c5a905c69356ea6e8b5b
                              • Instruction ID: 2a090df7b04d996ea19732323a2f399c01cf835a8328b3c36275b73a5b26805b
                              • Opcode Fuzzy Hash: 08e331390dbb85ef3ba89893bca7a2ddf665af3586e5c5a905c69356ea6e8b5b
                              • Instruction Fuzzy Hash: 7631F8B1C1464DAFDB14DFE9C888AEEBBB8FF48304F108519E526A3254EB385649DF50

                              Execution Graph

                              Execution Coverage:11.7%
                              Dynamic/Decrypted Code Coverage:8.6%
                              Signature Coverage:0%
                              Total number of Nodes:35
                              Total number of Limit Nodes:4
                              execution_graph 11167 442000 11168 442006 11167->11168 11169 44309a 11168->11169 11172 4461c1 GetPEB 11168->11172 11173 4463a0 11172->11173 11203 4457b0 11204 445a74 NtAllocateVirtualMemory 11203->11204 11205 4459c1 11204->11205 11205->11205 11206 445af6 GetPEB 11205->11206 11207 445b0a 11205->11207 11206->11207 11174 445f41 11177 445b30 GetPEB 11174->11177 11178 445b8d 11177->11178 11178->11178 11179 44314d 11180 443103 11179->11180 11183 4430e2 11179->11183 11184 445891 GetPEB 11180->11184 11185 2c17068 11186 2c170ac CheckRemoteDebuggerPresent 11185->11186 11187 2c170ee 11186->11187 11208 44601e 11211 445875 GetPEB 11208->11211 11188 44600f 11189 4461d6 11188->11189 11190 445b30 GetPEB 11189->11190 11191 4461db 11190->11191 11192 44390a 11193 44398f 11192->11193 11197 443918 11192->11197 11194 44399c 11193->11194 11199 445670 GetPEB 11193->11199 11196 4439a8 NtClose 11194->11196 11201 4459e9 GetPEB 11194->11201 11196->11197 11200 445679 11199->11200 11202 445a45 11201->11202 11202->11202
                              Memory Dump Source
                              • Source File: 00000002.00000002.4529287257.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2c10000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ea8919ae3ee6fc7141daaa3c942f1941ffdf92d0b4b6fee9a791bcf4f8af732
                              • Instruction ID: 6e51c88974c3d52e61ba3ff1bf25943b68e1877dcf3967c98158b74c2fa965fa
                              • Opcode Fuzzy Hash: 5ea8919ae3ee6fc7141daaa3c942f1941ffdf92d0b4b6fee9a791bcf4f8af732
                              • Instruction Fuzzy Hash: EB63F831D10B1A8ADB11EF68C8446A9F7B1FF9A300F11D79AE45877121EB70AAD4CF81
                              Memory Dump Source
                              • Source File: 00000002.00000002.4529287257.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2c10000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: efc2be3e2095723047956189dce7a39f08c4b4abd21ab24b263be1841fe9f6fe
                              • Instruction ID: fbf582f043b76602356c3a501ea992d728670a434025fd3593391c698a248b25
                              • Opcode Fuzzy Hash: efc2be3e2095723047956189dce7a39f08c4b4abd21ab24b263be1841fe9f6fe
                              • Instruction Fuzzy Hash: 6B332F31D107198EDB11EF68C8846ADF7B1FF99300F15C79AE449A7221EB70AAD5CB81

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1485 2c17068-2c170ec CheckRemoteDebuggerPresent 1487 2c170f5-2c17130 1485->1487 1488 2c170ee-2c170f4 1485->1488 1488->1487
                              APIs
                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02C170DF
                              Memory Dump Source
                              • Source File: 00000002.00000002.4529287257.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2c10000_RegAsm.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: 3a7bcc1c7f2f3d12e425f56800ad383d58fa07fab46dc65528dff686c6fb0dcf
                              • Instruction ID: 53872f5d0dce399c6dcb1611fb37d71d8ddfe36f5f9715712f0e3acab76cc0bc
                              • Opcode Fuzzy Hash: 3a7bcc1c7f2f3d12e425f56800ad383d58fa07fab46dc65528dff686c6fb0dcf
                              • Instruction Fuzzy Hash: 3B2137B18002598FCB10CF9AD985BEEFBF4FF49320F14845AE459A3250D778A944CFA1

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1491 4457b0-445a7c NtAllocateVirtualMemory 1493 445a98-445a9a 1491->1493 1494 445b15-445b19 1493->1494 1495 445a9c-445a9f 1493->1495 1497 445ae1-445af4 1495->1497 1497->1497 1498 445af6-445b0c GetPEB call 445860 1497->1498 1501 445b10 call 445b1a 1498->1501 1502 445b0e 1498->1502 1501->1494 1502->1494
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?), ref: 00445A7A
                              Memory Dump Source
                              • Source File: 00000002.00000002.4527761643.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_442000_RegAsm.jbxd
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: c1ab7e11fb7d40360cde885b30ab61a09a2bcc9f3a1d367a9b3bfb471c02cf6e
                              • Instruction ID: 83537dae9229e239ba73b35ba255f951e3fcb5b514ae534f31faa0c3dc2d3805
                              • Opcode Fuzzy Hash: c1ab7e11fb7d40360cde885b30ab61a09a2bcc9f3a1d367a9b3bfb471c02cf6e
                              • Instruction Fuzzy Hash: 16F0FC71618981DFFF059B50C4907693734EB40385F5403ABD0029F5C7D67CE941C71A

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1504 2c13e68-2c13ece 1506 2c13ed0-2c13edb 1504->1506 1507 2c13f18-2c13f1a 1504->1507 1506->1507 1508 2c13edd-2c13ee9 1506->1508 1509 2c13f1c-2c13f74 1507->1509 1510 2c13eeb-2c13ef5 1508->1510 1511 2c13f0c-2c13f16 1508->1511 1518 2c13f76-2c13f81 1509->1518 1519 2c13fbe-2c13fc0 1509->1519 1512 2c13ef7 1510->1512 1513 2c13ef9-2c13f08 1510->1513 1511->1509 1512->1513 1513->1513 1515 2c13f0a 1513->1515 1515->1511 1518->1519 1521 2c13f83-2c13f8f 1518->1521 1520 2c13fc2-2c13fda 1519->1520 1528 2c14024-2c14026 1520->1528 1529 2c13fdc-2c13fe7 1520->1529 1522 2c13f91-2c13f9b 1521->1522 1523 2c13fb2-2c13fbc 1521->1523 1524 2c13f9d 1522->1524 1525 2c13f9f-2c13fae 1522->1525 1523->1520 1524->1525 1525->1525 1527 2c13fb0 1525->1527 1527->1523 1530 2c14028-2c14076 1528->1530 1529->1528 1531 2c13fe9-2c13ff5 1529->1531 1539 2c1407c-2c1408a 1530->1539 1532 2c13ff7-2c14001 1531->1532 1533 2c14018-2c14022 1531->1533 1535 2c14003 1532->1535 1536 2c14005-2c14014 1532->1536 1533->1530 1535->1536 1536->1536 1537 2c14016 1536->1537 1537->1533 1540 2c14093-2c140f3 1539->1540 1541 2c1408c-2c14092 1539->1541 1548 2c14103-2c14107 1540->1548 1549 2c140f5-2c140f9 1540->1549 1541->1540 1551 2c14117-2c1411b 1548->1551 1552 2c14109-2c1410d 1548->1552 1549->1548 1550 2c140fb 1549->1550 1550->1548 1554 2c1412b-2c1412f 1551->1554 1555 2c1411d-2c14121 1551->1555 1552->1551 1553 2c1410f-2c14112 call 2c10ab8 1552->1553 1553->1551 1558 2c14131-2c14135 1554->1558 1559 2c1413f-2c14143 1554->1559 1555->1554 1557 2c14123-2c14126 call 2c10ab8 1555->1557 1557->1554 1558->1559 1561 2c14137-2c1413a call 2c10ab8 1558->1561 1562 2c14153-2c14157 1559->1562 1563 2c14145-2c14149 1559->1563 1561->1559 1565 2c14167 1562->1565 1566 2c14159-2c1415d 1562->1566 1563->1562 1564 2c1414b 1563->1564 1564->1562 1569 2c14168 1565->1569 1566->1565 1568 2c1415f 1566->1568 1568->1565 1569->1569
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.4529287257.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2c10000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID: \VEm
                              • API String ID: 0-1990433697
                              • Opcode ID: 3204c51ead748e9244df72d65afaf516dab30fde830789ed810716e0a99e7a9c
                              • Instruction ID: a0846d1ba4d60b6dc7f20e5fcfec646894e7a2f4825747ef4a8f138629bc98af
                              • Opcode Fuzzy Hash: 3204c51ead748e9244df72d65afaf516dab30fde830789ed810716e0a99e7a9c
                              • Instruction Fuzzy Hash: D9918170E00249DFDF24CFA9D9827DDBBF2BF89308F248129E415A7294EB749945DB81
                              Memory Dump Source
                              • Source File: 00000002.00000002.4529287257.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2c10000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9fabe531f9cb6a9f24f8c4171fda00bce6185d5b20730ca49db6e90ed107b357
                              • Instruction ID: 3340c4700b35a48f091a73cff0ee0e93da7dd0721bf4c54e70534d2751b672b1
                              • Opcode Fuzzy Hash: 9fabe531f9cb6a9f24f8c4171fda00bce6185d5b20730ca49db6e90ed107b357
                              • Instruction Fuzzy Hash: 4232BF34A012058FDB14DFA8D985BADBBB2FF89310F208469E809EB391DB31DD45DB91

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2306 2c14a80-2c14ae6 2308 2c14b30-2c14b32 2306->2308 2309 2c14ae8-2c14af3 2306->2309 2310 2c14b34-2c14b4d 2308->2310 2309->2308 2311 2c14af5-2c14b01 2309->2311 2318 2c14b99-2c14b9b 2310->2318 2319 2c14b4f-2c14b5b 2310->2319 2312 2c14b03-2c14b0d 2311->2312 2313 2c14b24-2c14b2e 2311->2313 2314 2c14b11-2c14b20 2312->2314 2315 2c14b0f 2312->2315 2313->2310 2314->2314 2317 2c14b22 2314->2317 2315->2314 2317->2313 2320 2c14b9d-2c14bb5 2318->2320 2319->2318 2321 2c14b5d-2c14b69 2319->2321 2327 2c14bb7-2c14bc2 2320->2327 2328 2c14bff-2c14c01 2320->2328 2322 2c14b6b-2c14b75 2321->2322 2323 2c14b8c-2c14b97 2321->2323 2325 2c14b77 2322->2325 2326 2c14b79-2c14b88 2322->2326 2323->2320 2325->2326 2326->2326 2329 2c14b8a 2326->2329 2327->2328 2330 2c14bc4-2c14bd0 2327->2330 2331 2c14c03-2c14c1b 2328->2331 2329->2323 2332 2c14bf3-2c14bfd 2330->2332 2333 2c14bd2-2c14bdc 2330->2333 2338 2c14c65-2c14c67 2331->2338 2339 2c14c1d-2c14c28 2331->2339 2332->2331 2334 2c14be0-2c14bef 2333->2334 2335 2c14bde 2333->2335 2334->2334 2337 2c14bf1 2334->2337 2335->2334 2337->2332 2341 2c14c69-2c14cdc 2338->2341 2339->2338 2340 2c14c2a-2c14c36 2339->2340 2342 2c14c59-2c14c63 2340->2342 2343 2c14c38-2c14c42 2340->2343 2350 2c14ce2-2c14cf0 2341->2350 2342->2341 2344 2c14c44 2343->2344 2345 2c14c46-2c14c55 2343->2345 2344->2345 2345->2345 2347 2c14c57 2345->2347 2347->2342 2351 2c14cf2-2c14cf8 2350->2351 2352 2c14cf9-2c14d59 2350->2352 2351->2352 2359 2c14d69-2c14d6d 2352->2359 2360 2c14d5b-2c14d5f 2352->2360 2361 2c14d7d-2c14d81 2359->2361 2362 2c14d6f-2c14d73 2359->2362 2360->2359 2363 2c14d61 2360->2363 2365 2c14d91-2c14d95 2361->2365 2366 2c14d83-2c14d87 2361->2366 2362->2361 2364 2c14d75 2362->2364 2363->2359 2364->2361 2368 2c14da5-2c14da9 2365->2368 2369 2c14d97-2c14d9b 2365->2369 2366->2365 2367 2c14d89 2366->2367 2367->2365 2371 2c14db9-2c14dbd 2368->2371 2372 2c14dab-2c14daf 2368->2372 2369->2368 2370 2c14d9d 2369->2370 2370->2368 2373 2c14dcd 2371->2373 2374 2c14dbf-2c14dc3 2371->2374 2372->2371 2375 2c14db1-2c14db4 call 2c10ab8 2372->2375 2379 2c14dce 2373->2379 2374->2373 2376 2c14dc5-2c14dc8 call 2c10ab8 2374->2376 2375->2371 2376->2373 2379->2379
                              Memory Dump Source
                              • Source File: 00000002.00000002.4529287257.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2c10000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5499065154c7c9bd02bca344b983a0d6e279c4281188b966d6983293e1baee7
                              • Instruction ID: d142eb623ac3aa94af78cc3bcf4fe34ea823e4068ee839c1a286dcd87f2ca864
                              • Opcode Fuzzy Hash: b5499065154c7c9bd02bca344b983a0d6e279c4281188b966d6983293e1baee7
                              • Instruction Fuzzy Hash: C9B17E74E00609CFDF28CFA9D99279DBBF2BF89314F148129D415E7294EB349982DB81

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1478 2c17060-2c170ec CheckRemoteDebuggerPresent 1481 2c170f5-2c17130 1478->1481 1482 2c170ee-2c170f4 1478->1482 1482->1481
                              APIs
                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 02C170DF
                              Memory Dump Source
                              • Source File: 00000002.00000002.4529287257.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2c10000_RegAsm.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: 690fef3e2768d307ad3053ffff1d8e8375067bde385d0430843dc0ed36b4beec
                              • Instruction ID: f112eb05b99ec9f10f2893f2566cb5a6a23710608a0017f06f34eb7c2a43cb27
                              • Opcode Fuzzy Hash: 690fef3e2768d307ad3053ffff1d8e8375067bde385d0430843dc0ed36b4beec
                              • Instruction Fuzzy Hash: A52148B18002598FCB10DF9AD985BEEFBF4EF49320F14845AE459B3251D738AA44CFA0
                              Memory Dump Source
                              • Source File: 00000002.00000002.4528688321.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_285d000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 75f448d0b5414ab329069f4d7cc4cd7ecff6e526b8e23fd1c62543205295423b
                              • Instruction ID: 1130645618c1d4396d7c21f3c136f0b7d28133e5818545a9cfd8c4eed7a17227
                              • Opcode Fuzzy Hash: 75f448d0b5414ab329069f4d7cc4cd7ecff6e526b8e23fd1c62543205295423b
                              • Instruction Fuzzy Hash: 5921D07D604244DFDB14DF24D984B26BF65EF84318F24C569DD0A8B356C33AD447CA62
                              Memory Dump Source
                              • Source File: 00000002.00000002.4528688321.000000000285D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0285D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_285d000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4053205b6762a4525996065e752115e78c797c5f41f4ef331cd9fc88cbca35d4
                              • Instruction ID: ccc78328035cfc6d30bfde55518aa3a8b73455f9d5e7203d5c17de49042beed8
                              • Opcode Fuzzy Hash: 4053205b6762a4525996065e752115e78c797c5f41f4ef331cd9fc88cbca35d4
                              • Instruction Fuzzy Hash: 752192795093C08FDB02CF24D994B15BF71EF46214F28C5EADC498B657C33A940ACB62
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.4529287257.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_2c10000_RegAsm.jbxd
                              Similarity
                              • API ID:
                              • String ID: \VEm
                              • API String ID: 0-1990433697
                              • Opcode ID: 21b5972a889961d5a159bce7ac60857db97ea60c3f6bb9c931c40ba7601a5842
                              • Instruction ID: b9870100d70f11a56b4141cffbb90bb66a50ad454c0e937cff92a384dcbf18d2
                              • Opcode Fuzzy Hash: 21b5972a889961d5a159bce7ac60857db97ea60c3f6bb9c931c40ba7601a5842
                              • Instruction Fuzzy Hash: F4B15170E00209CFDF28CFA9D98679DBBF2BF89314F148129D419E7254EB749985DB81