Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vJsFBhrSfK.exe

Overview

General Information

Sample name:vJsFBhrSfK.exe
renamed because original name is a hash value
Original sample name:65e6633b1a99bf5b6a71d8fb26ec5130b0db075c0a838301d8120e32b7ca847b.exe
Analysis ID:1519415
MD5:f6e330ca595ee7f05ddbecb8cd851350
SHA1:f22953cd04a52fc0cd2fc313ebfc5b329598abb0
SHA256:65e6633b1a99bf5b6a71d8fb26ec5130b0db075c0a838301d8120e32b7ca847b
Tags:AlphaBankexeFormBookgeoGRCunpackeduser-NDA0E
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
One or more processes crash
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vJsFBhrSfK.exe (PID: 6480 cmdline: "C:\Users\user\Desktop\vJsFBhrSfK.exe" MD5: F6E330CA595EE7F05DDBECB8CD851350)
    • WerFault.exe (PID: 6676 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 228 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
vJsFBhrSfK.exeJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    vJsFBhrSfK.exeWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ecc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16e32:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2dcc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x15e32:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2dcc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x15e32:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.vJsFBhrSfK.exe.da0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.0.vJsFBhrSfK.exe.da0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dec3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16032:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          0.2.vJsFBhrSfK.exe.da0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            0.2.vJsFBhrSfK.exe.da0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2dec3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16032:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: vJsFBhrSfK.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: vJsFBhrSfK.exeReversingLabs: Detection: 52%
            Yara detected FormBook
            Source: Yara matchFile source: vJsFBhrSfK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
            Machine Learning detection for sample
            Source: vJsFBhrSfK.exeJoe Sandbox ML: detected
            Source: vJsFBhrSfK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: vJsFBhrSfK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: vJsFBhrSfK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: vJsFBhrSfK.exe, type: SAMPLEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA10D00_2_00DA10D0
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA10CA0_2_00DA10CA
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DAF8530_2_00DAF853
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DAF84A0_2_00DAF84A
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DB61A30_2_00DB61A3
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA22C00_2_00DA22C0
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DADAF30_2_00DADAF3
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DAFA730_2_00DAFA73
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA12300_2_00DA1230
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA2DC00_2_00DA2DC0
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DCE5B30_2_00DCE5B3
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA26400_2_00DA2640
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DB7FC30_2_00DB7FC3
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 228
            Source: vJsFBhrSfK.exeStatic PE information: No import functions for PE file found
            Source: vJsFBhrSfK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: vJsFBhrSfK.exe, type: SAMPLEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: vJsFBhrSfK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: vJsFBhrSfK.exeStatic PE information: Section .text
            Source: classification engineClassification label: mal80.troj.winEXE@2/5@0/0
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6480
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\54b1d49e-d3b6-4a72-be70-9a01c7eeaaeeJump to behavior
            Source: vJsFBhrSfK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: vJsFBhrSfK.exeReversingLabs: Detection: 52%
            Source: unknownProcess created: C:\Users\user\Desktop\vJsFBhrSfK.exe "C:\Users\user\Desktop\vJsFBhrSfK.exe"
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 228
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeSection loaded: apphelp.dllJump to behavior
            Source: vJsFBhrSfK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA3040 push eax; ret 0_2_00DA3042
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DB5040 push eax; iretd 0_2_00DB5043
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA6167 push ebp; ret 0_2_00DA616B
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DB7A84 pushad ; iretd 0_2_00DB7A90
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DB7B34 pushad ; retf 0_2_00DB7B35
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DB3560 push 00000076h; iretd 0_2_00DB356F
            Source: vJsFBhrSfK.exeStatic PE information: section name: .text entropy: 7.69528996942639
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: Amcache.hve.3.drBinary or memory string: VMware
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: Amcache.hve.3.drBinary or memory string: vmci.sys
            Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
            Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.3.drBinary or memory string: VMware20,1
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\vJsFBhrSfK.exeCode function: 0_2_00DA14A0 EntryPoint,LdrInitializeThunk,0_2_00DA14A0
            Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: vJsFBhrSfK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: vJsFBhrSfK.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		1
            Process Injection            		1
            Virtualization/Sandbox Evasion            		OS Credential Dumping21
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		2
            Software Packing            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Process Injection            		Security Account Manager1
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            vJsFBhrSfK.exe53%ReversingLabsWin32.Backdoor.FormBook
            vJsFBhrSfK.exe100%AviraTR/Crypt.ZPACK.Gen
            vJsFBhrSfK.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://upx.sf.net0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://upx.sf.netAmcache.hve.3.drfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1519415
            Start date and time:2024-09-26 14:05:39 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 3s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:vJsFBhrSfK.exe
            renamed because original name is a hash value
            Original Sample Name:65e6633b1a99bf5b6a71d8fb26ec5130b0db075c0a838301d8120e32b7ca847b.exe
            Detection:MAL
            Classification:mal80.troj.winEXE@2/5@0/0
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 3
            • Number of non-executed functions: 36
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 52.168.117.173
            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target vJsFBhrSfK.exe, PID 6480 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: vJsFBhrSfK.exe

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vJsFBhrSfK.exe_56edd9d08eaf191b756af833f8b14cb7e7fcbecd_78d2fcfd_9f6e3fb3-e1d2-433f-9cdc-8e706dd7619e\Report.wer

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.6335618800574755
            Encrypted:false
            SSDEEP:192:2f9/b6MT2O0BU/jrojEzuiFJZ24IO8vykLr:uVb6MT21BU/jrojEzuiFJY4IO8vyk
            MD5:70B1498283104B1623DF4B91C3DE71E8
            SHA1:583A0ED00E0CCF97FC56CB11E89FD79603F8D6C3
            SHA-256:AEFA12767E34FBCE720D025153FC309EB9A37B6DF6975BB3C31E2DE9850541E5
            SHA-512:7E817BB2A00AF551133830824EA5AC26DB19E041E8621E41085040B13C2876CE20E0AE0F9C58DA39C8B15025028A4E9F365B7D54048A88B8215690AE9DBF4D4A
            Malicious:true
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.2.5.9.9.2.4.2.7.3.1.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.8.2.5.9.9.2.7.7.1.0.6.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.6.e.3.f.b.3.-.e.1.d.2.-.4.3.3.f.-.9.c.d.c.-.8.e.7.0.6.d.d.7.6.1.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.e.f.4.5.0.8.-.8.8.7.b.-.4.7.c.1.-.a.8.b.2.-.b.3.f.9.3.7.9.e.3.b.4.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.J.s.F.B.h.r.S.f.K...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.0.-.0.0.0.1.-.0.0.1.4.-.c.6.3.8.-.9.3.8.6.0.c.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.d.c.1.5.c.4.c.9.a.d.d.7.a.c.6.6.9.e.6.d.d.7.c.d.f.e.5.6.7.9.9.0.0.0.0.f.f.f.f.!.0.0.0.0.f.2.2.9.5.3.c.d.0.4.a.5.2.f.c.0.c.d.2.f.c.3.1.3.e.b.f.c.5.b.3.2.9.5.9.8.a.b.b.0.!.v.J.s.F.B.h.r.S.f.K...e.x.e.....T.a.r.g.e.t.A.p.p.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC34.tmp.dmp

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Thu Sep 26 12:06:32 2024, 0x1205a4 type
            Category:dropped
            Size (bytes):20876
            Entropy (8bit):1.9325311564024037
            Encrypted:false
            SSDEEP:96:5m8cl6CQRYZE+0Ywi7nGh1g65yvLIWIkWI/sIxFgAbf:rNgZfwOGjg3vtFgE
            MD5:2C8421C47ECF678583490F669DB20CA8
            SHA1:2F4168C876D9DB20B97D9DD356D9479C411E54F0
            SHA-256:F1341A8E9C526D3FAE620916E138FDF65F2666011E20C395BA188B6DCE2EAE77
            SHA-512:F744C70D591A9E9E61802918A7027DA6FC816498016E297C0DE15C016315BD8AC7B81C235985ACCD47805AB9C0C8DAAD9FC01C771299C422156B9F1CAFAFE007
            Malicious:false
            Reputation:low
            Preview:MDMP..a..... .......HN.f............4...............<.......d...............T.......8...........T...........p....H......................................................................................................eJ......L.......GenuineIntel............T.......P...HN.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA2.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8278
            Entropy (8bit):3.6988147665367768
            Encrypted:false
            SSDEEP:192:R6l7wVeJyntb6T6Y9cSUCMgmfNyMaprM89b3OsfUdm:R6lXJytb6T6Y2SUCMgmfNyM23NfD
            MD5:7D358C739BAEEC6DF81A10D332269750
            SHA1:F5D7B5C48659ABF6AAF6EA2573EEE8DF61C97DBB
            SHA-256:4AA5D1BE99BCE9E40567C4F2BA5379A036FC5E7EC0F5B3EB3ECE8ED15F28AA3C
            SHA-512:397BC28D926C70B97F9DD4565E798D6110BDC856BE7D76B08D3BAD013EDF2D4421A093E527E2A1B3928029FA6F351A1EAE206EDCDDC7D07969A5EC5DA43A3746
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.0.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC2.tmp.xml

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4579
            Entropy (8bit):4.474062245200783
            Encrypted:false
            SSDEEP:48:cvIwWl8zsvJg77aI9CtWpW8VYjoYm8M4JApFx+q8a31sdEPMd:uIjfRI74c7V4JYFs+PMd
            MD5:F86F3010FEA7118A62B370EED356DA43
            SHA1:934A02EA4EF06A7E10A05B2F893089B23FC0D4FF
            SHA-256:57C12BFE08E90DFBC8F1C7FD728A57A08B7B45D6DCAC3380D02708F8371DB3C2
            SHA-512:F23AE220FCA636498AEFD0362C20BC85F5902262269E9B656408AAD97727233D11DC7308C07881CB38FDDAA9A3A9CAB0BC4CCA4BFEA6A63C089D29D3C0483B0F
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517149" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\Windows\appcompat\Programs\Amcache.hve

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):1835008
            Entropy (8bit):4.465431299024242
            Encrypted:false
            SSDEEP:6144:PIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN2dwBCswSbk:gXD94+WlLZMM6YFHM+k
            MD5:99D63B28D3B719C624BB34434CD916F3
            SHA1:512914D98D646105D2A0FEDBBC93F547AA1C3F84
            SHA-256:D686B4E3ED3D0D67E6EC1BC8655BBDFC7FDF3E458AC640F4EC8D75E46DA307BF
            SHA-512:4EAC8E10D8417C65615EA6B26F68E53BB5D96EF04203ABB9AE373210BD3C79A9D07D56827FABBD66FF767C1339FD27747FB24A6960786818294BF2E65644DDDF
            Malicious:false
            Reputation:low
            Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr....................................................................................................................................................................................................................................................................................................................................................'..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.649128690219899
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.94%
            • Win16/32 Executable Delphi generic (2074/23) 0.02%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:vJsFBhrSfK.exe
            File size:286'208 bytes
            MD5:f6e330ca595ee7f05ddbecb8cd851350
            SHA1:f22953cd04a52fc0cd2fc313ebfc5b329598abb0
            SHA256:65e6633b1a99bf5b6a71d8fb26ec5130b0db075c0a838301d8120e32b7ca847b
            SHA512:4e369f6cec94a80d65c0851bbf311845cac529eb0319e71fa26fe2cc0fe9f9aad802f4b4f2f4e4c60692aa2e4b881b2106b0b03a19f65829aa33b158bee17ee9
            SSDEEP:6144:FrjAFi6J7yALSGDZyNw3ENr3DA59jli+GXWCzXKihuztQ6:FwFVJ7yY1yNfrMzjl2WCz6O2tQ6
            TLSH:B154D030E543D878E2F32075F5EA125F983E6C344124A163EBE505EAE9A58E8313D76F
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...PW.X.................N...................`....@..........................`............@................................

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x4014a0
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Time Stamp:0x58145750 [Sat Oct 29 08:01:20 2016 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            sub esp, 000003A0h
            push ebx
            push esi
            push edi
            push 00000390h
            lea eax, dword ptr [ebp-0000039Ch]
            push 00000000h
            push eax
            mov dword ptr [ebp-000003A0h], 00000000h
            call 00007F12ECC61B6Ch
            add esp, 0Ch
            mov edi, 00006425h
            xor esi, esi
            mov dword ptr [ebp-0Ch], 00001FBAh
            mov dword ptr [ebp-04h], 000062CDh
            mov dword ptr [ebp-08h], 00002D11h
            call 00007F12ECC61E38h
            std
            inc esi
            cmp al, 87h
            push eax
            pop ds
            das
            jmp 00007F131BF509C7h
            out 49h, eax
            in eax, dx
            das
            das
            mov edi, 17A0A422h
            jno 00007F12ECC602A0h
            mov edx, 394B53EDh
            lahf
            rcl cl, cl
            add bh, 0000005Eh
            lodsb
            push ebx
            das
            pop ss
            lodsd
            cmp dl, bl
            rol dword ptr [ebx+39h], 1
            or cl, byte ptr [esi-2Fh]
            rol dword ptr [eax+2348CAC7h], 1
            das
            pop ss
            fsubr qword ptr [ecx]
            rcl ecx, cl
            inc ebx
            cmp dword ptr [edx], ecx
            dec esi
            rcl ecx, 1
            push D14A7A77h
            jnp 00007F12ECC60329h

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x44c440x44e006f897ccf562032da3f0376136f119f7cFalse0.8265369782214156data7.69528996942639IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:08:06:32
            Start date:26/09/2024
            Path:C:\Users\user\Desktop\vJsFBhrSfK.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\vJsFBhrSfK.exe"
            Imagebase:0xda0000
            File size:286'208 bytes
            MD5 hash:F6E330CA595EE7F05DDBECB8CD851350
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:08:06:32
            Start date:26/09/2024
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 228
            Imagebase:0x720000
            File size:483'680 bytes
            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Executed Functions

              Function 00DA14A0 Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d2991146fa64268c9c8458be843d461dc5d3058de4874b829c9b065bc60ebd46
              • Instruction ID: 3f1d644e818c4ab4261e514b297f72c8384c120fab42b9634864fdd5227132a7
              • Opcode Fuzzy Hash: d2991146fa64268c9c8458be843d461dc5d3058de4874b829c9b065bc60ebd46
              • Instruction Fuzzy Hash: CDE092B5D042187BE7259E85CC45BDEBABDDB45704F604060B44866181D3B41B098BB6
              Function 00DA14F9 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: SK9
              • API String ID: 0-153980761
              • Opcode ID: 4dc91adeb793fe971fdec66c35c94eeefca28b0f87fabe57945d86fa24d34526
              • Instruction ID: b3adac69260dacff5ee3aacf73fc09da4df42b3934b179fc860b58d440afed69
              • Opcode Fuzzy Hash: 4dc91adeb793fe971fdec66c35c94eeefca28b0f87fabe57945d86fa24d34526
              • Instruction Fuzzy Hash: B831EB7E608751AFDB258F74D8A51D4BBF6AF4B300F6812B8C4868B642D772840BC790
              Function 00DA1495 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b75d7a6963aa100aad4b955e8a3f9d333296ce2e0c9f949908b82e850cb213fa
              • Instruction ID: 88cbbb26d1ccb852c53cdea9727d139a2936c0e142b86276acce7ee1fc1b18b7
              • Opcode Fuzzy Hash: b75d7a6963aa100aad4b955e8a3f9d333296ce2e0c9f949908b82e850cb213fa
              • Instruction Fuzzy Hash: 4FF055B2C00208BFEB109F88CC54BDEBABDCF4A300F6000A0F44CA6281C3B80B088B61

              Non-executed Functions

              Function 00DA22C0 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: %d$gfff$gfff$gfff$yxxx
              • API String ID: 0-2635901513
              • Opcode ID: bbf1b6a10d5c1b0a857a34af7daf17e2ff9d074685015b1d8b45cdc31dbb8b35
              • Instruction ID: 42dd17171d7f982f703782a51ceb73cd1328f1d0c64f230c7f13a228daf0ac70
              • Opcode Fuzzy Hash: bbf1b6a10d5c1b0a857a34af7daf17e2ff9d074685015b1d8b45cdc31dbb8b35
              • Instruction Fuzzy Hash: 1671B171B0050A4BCF18CE5EDC912BDB3A6EB96314B1C8239E955CF781E678ED1187A0
              Function 00DA10D0 Relevance: 5.1, Strings: 4, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff$gfff$gfff$gfff
              • API String ID: 0-2178600047
              • Opcode ID: afe45668db98e003f74750e31edd8cc242084dbfc7ef0f4454fe3ab833b37daf
              • Instruction ID: 6726d7dc84f82de6fc70b8bb3cfa0f2edca8d6935c606ced7282f3835505c858
              • Opcode Fuzzy Hash: afe45668db98e003f74750e31edd8cc242084dbfc7ef0f4454fe3ab833b37daf
              • Instruction Fuzzy Hash: 9731D37AB002090BDB1CCD5EAC906A97796EBD5315F5C823ED90ACF3D5E931ED028691
              Function 00DA10CA Relevance: 5.1, Strings: 4, Instructions: 118COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff$gfff$gfff$gfff
              • API String ID: 0-2178600047
              • Opcode ID: 37004533658496799af620b8941beae13ecea9d5df3fafd170c91bda59c88929
              • Instruction ID: 27b99f929e12a08e1215a4c4e989c8ad6b9233c966facd9fcd5a859c4b68426d
              • Opcode Fuzzy Hash: 37004533658496799af620b8941beae13ecea9d5df3fafd170c91bda59c88929
              • Instruction Fuzzy Hash: 4531057A7002090BDB1CCD2EEC906A97756EBD1309F2C827DD90ACF3D6EA31ED068651
              Function 00DA1230 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff$}
              • API String ID: 0-1057681350
              • Opcode ID: 6b271fd61d1ef900916055ada9da04e46cfe5496e7b5eef2b8a4e5548877a253
              • Instruction ID: d8cdb9f73d7d6de549f05f492b6c5f7d366c333db4f1fab38cb10d88c96c198b
              • Opcode Fuzzy Hash: 6b271fd61d1ef900916055ada9da04e46cfe5496e7b5eef2b8a4e5548877a253
              • Instruction Fuzzy Hash: ED61A075D1020A87CF04CF99C9801EDF7B1FFA9304F24825AE918BB341E7759A82CBA1
              Function 00DB61A3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction ID: 049ab40c45aa1cde2b5cd7ccc9c7bae7af5c731f36801ff5e51bb2fe72b0f21c
              • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction Fuzzy Hash: D9021E76E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F90
              Function 00DA2640 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: VUUU
              • API String ID: 0-2040033107
              • Opcode ID: 18bb3546c0d1c65bd22e490ba2615b6932e661a9b769bedf9d002d9d84562644
              • Instruction ID: 0dd4aa2fc7ca317f15cdd08e621867ae471792aa3c3d6a77128ceb2216355e5b
              • Opcode Fuzzy Hash: 18bb3546c0d1c65bd22e490ba2615b6932e661a9b769bedf9d002d9d84562644
              • Instruction Fuzzy Hash: F171A375F001098BDB1CCE5EC9906BDB7A2EBD4314F68817AD9099F781E635AE11CBA0
              Function 00DB7FC3 Relevance: .4, Instructions: 436COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ec386194fbce991a8e464d02a7bbc203448af7cbaa19d22de8687ca2b5bdde5
              • Instruction ID: 2d1ee9cfc6d00a8ed7425659fd644ac3ed7905d128ec698b8a6053fe2ae8f0fd
              • Opcode Fuzzy Hash: 4ec386194fbce991a8e464d02a7bbc203448af7cbaa19d22de8687ca2b5bdde5
              • Instruction Fuzzy Hash: 03F180B1D0021AEFDB24DF64CC85AEEB7B9EF45300F1881A9E516A7241DB709A45DFB0
              Function 00DAFA73 Relevance: .4, Instructions: 435COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction ID: 3df0e4f5a62b89184892e7022fbcbbf23b01d23e13e8cfc4cf4d5487d0e5e145
              • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction Fuzzy Hash: 82026E73E547164FE720DE4ACDC4765B3A3EFC8311F5B81B8CA142B613CA39BA525A90
              Function 00DAF853 Relevance: .2, Instructions: 165COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction ID: 98b69a0a08c369a974302004e08c68c94705bacf244388f2f610c111c88c81ad
              • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction Fuzzy Hash: FD5171B3E14A214BD3188F09CC40635B792FFD8312B5F81BADD199B357CA74E9529A90
              Function 00DAF84A Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f39a9b9e90d0bfc48c30de62baf28e7b8439c4050176532cba321dfb849f6f0
              • Instruction ID: b2e7acf215b983febd4990f908a573702bfcc638a1fcc429b9be01ec75b9cfc8
              • Opcode Fuzzy Hash: 4f39a9b9e90d0bfc48c30de62baf28e7b8439c4050176532cba321dfb849f6f0
              • Instruction Fuzzy Hash: D65180B3E14A214BD3188F09CC50631B692EFD8312B5F81BEDD1A9B357CA74A9529A90
              Function 00DADAF3 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction ID: c82cb17a063f384c59607aa31d1719b537b0dce71cee77b118114d0c041612b2
              • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction Fuzzy Hash: BA3162116586F14DD31E836D08BD675AED28E5720174EC2EEDADB5F2F3C4888408D3A5
              Function 00DCE5B3 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec69f8179420e759472e11a639b1944a9304fc038bd1a362426bb5a2b75a24f2
              • Instruction ID: 1883c577455438752966adbfde5322e7b8728f3ce7188d1fe5a02a7fab025964
              • Opcode Fuzzy Hash: ec69f8179420e759472e11a639b1944a9304fc038bd1a362426bb5a2b75a24f2
              • Instruction Fuzzy Hash: AB31BF72B10A265BD754CE3AD880756F7E6FB88350B588639D918C3B40E774F961CBE0
              Function 00DA2DC0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c0a0d3b445de1db1ee50b210c94385e5306e4af9f35d4ed20107ffb605c9cc8
              • Instruction ID: 8b8d06d2d251c58cac89281c7d198ea3cadcb9a165cf7b16e43dbdd4b3f47826
              • Opcode Fuzzy Hash: 4c0a0d3b445de1db1ee50b210c94385e5306e4af9f35d4ed20107ffb605c9cc8
              • Instruction Fuzzy Hash: 8231C172A14A108FD368CE6ED941617F3E1EB88310B458A2DE85AD7B42D678FD01CBD0
              Function 00DB6AA5 Relevance: 51.4, Strings: 41, Instructions: 172COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
              • API String ID: 0-3248090998
              • Opcode ID: 0faf86d70261a820c2373e7690dbfd5c4efae898323dd6ac047647c7e70411e0
              • Instruction ID: 0e915803d6a1e7a70440e86ed41f18f942b4307744eb81bd97a21a0d2b92f25f
              • Opcode Fuzzy Hash: 0faf86d70261a820c2373e7690dbfd5c4efae898323dd6ac047647c7e70411e0
              • Instruction Fuzzy Hash: 2C9110F09052A98ACB118F55A4603DFBF71BB95304F1581E9C6AA7B243C3BE4E85DF90
              Function 00DB6AB3 Relevance: 51.4, Strings: 41, Instructions: 166COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
              • API String ID: 0-3248090998
              • Opcode ID: 88d2f9759e5af378ae688ea4fd5311552ce04c6e866e263db9e13d76fe42414d
              • Instruction ID: c50bd96463d9fd0bc94ef97798ea3bd7d0a485e0f946027fa30a51d962795bc2
              • Opcode Fuzzy Hash: 88d2f9759e5af378ae688ea4fd5311552ce04c6e866e263db9e13d76fe42414d
              • Instruction Fuzzy Hash: 76910FF09052A98ACB118F55A4603DFBF71BB95304F1581E9C6AA7B243C3BE4E85DF90
              Function 00DC5613 Relevance: 34.0, Strings: 27, Instructions: 265COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
              • API String ID: 0-1002149817
              • Opcode ID: dd803415b6ca3b6bc661b633522164fa9fb70d12a06b4cc2a0826e4e18b64d3d
              • Instruction ID: 12504c6cc80696dc886e0bef022a996795b764118baab12d031016ba52808735
              • Opcode Fuzzy Hash: dd803415b6ca3b6bc661b633522164fa9fb70d12a06b4cc2a0826e4e18b64d3d
              • Instruction Fuzzy Hash: 68C12CB1C052689AEB60DFA4CC45FEEBBB9EF04304F0041D9E50CA7241E7B55A88CFA1
              Function 00DC2483 Relevance: 25.2, Strings: 20, Instructions: 250COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
              • API String ID: 0-3236418099
              • Opcode ID: 0a6278a3f83bce658ef2456777b0d5b1a241efb0619d0aba136139f7af567000
              • Instruction ID: d06c6b3ccc1e5e21ec1a7ff4cf8fff9e72f78487482cc9a191d6391063cec0fa
              • Opcode Fuzzy Hash: 0a6278a3f83bce658ef2456777b0d5b1a241efb0619d0aba136139f7af567000
              • Instruction Fuzzy Hash: 34914CB1D00219AAEB20DB949C85FEEB7BDEF44304F0041ADA50CA7141EBB55B498FB5
              Function 00DAD2D3 Relevance: 22.9, Strings: 18, Instructions: 382COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: #$#$,$.$/$H$L$P$Wh$Y$Z$[':$^$ay$o!$u<$}$:
              • API String ID: 0-514007654
              • Opcode ID: f0cc597e782390d1ab0898ed7169642682cf15d449b466460698b4693c84655a
              • Instruction ID: 9aebdc71bc7e7bfdc99a0fc246be6cb88c9649e4ec7dcf4f8535591af0ce50c1
              • Opcode Fuzzy Hash: f0cc597e782390d1ab0898ed7169642682cf15d449b466460698b4693c84655a
              • Instruction Fuzzy Hash: D522CFB0D05229CBEB24CF54C994BEDBBB2BB45308F1081D9D14E6B681C7B99E85DF60
              Function 00DBDC03 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
              • API String ID: 0-392141074
              • Opcode ID: 0bddf420c06cd8557929356a0cbc27295abf0e15c054be6b406f68c8050469b2
              • Instruction ID: 0d29ec22f5658fc1c45432f84aec9474e0c06a5932aba4a7ecf6411bf08830c7
              • Opcode Fuzzy Hash: 0bddf420c06cd8557929356a0cbc27295abf0e15c054be6b406f68c8050469b2
              • Instruction Fuzzy Hash: E571EAB1D11228AAEB65DB94CC81FDEB7BDAF44700F00819DF509AB141EB746B488FB5
              Function 00DB1863 Relevance: 13.8, Strings: 11, Instructions: 84COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: D$\$e$e$i$l$n$r$r$w$x
              • API String ID: 0-685823316
              • Opcode ID: 0911ddc8c4c0e6e51073be8979d298da0b0d6aa33e1e244279b1aa41098e5ea9
              • Instruction ID: aab6a29891ca0489db765eb8e7a424bb08144bf068a7725bdcc693c0133cf7b3
              • Opcode Fuzzy Hash: 0911ddc8c4c0e6e51073be8979d298da0b0d6aa33e1e244279b1aa41098e5ea9
              • Instruction Fuzzy Hash: 042150B1D50218AADF50DFE4DC85FEEBBB9AF04704F04815CF618B6180DBB556488BB4
              Function 00DB185B Relevance: 13.8, Strings: 11, Instructions: 81COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: D$\$e$e$i$l$n$r$r$w$x
              • API String ID: 0-685823316
              • Opcode ID: 1a17a39e833d13d630cdd0eddcfda54385f37553e2b0e6d70366cc0f865900af
              • Instruction ID: fff70dc1b7affb412ec86c4f66a8bc76404269c41a9eb48c6604f4327594f639
              • Opcode Fuzzy Hash: 1a17a39e833d13d630cdd0eddcfda54385f37553e2b0e6d70366cc0f865900af
              • Instruction Fuzzy Hash: FF214AB1D50218AAEF40DFA0DC85BEEBBB9AB48704F14815CF6187A180DBB556488BB4
              Function 00DC2943 Relevance: 12.8, Strings: 10, Instructions: 342COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: :$:$:$A$I$N$P$m$s$t
              • API String ID: 0-2304485323
              • Opcode ID: 6e569d68ffab9d4d6bb7c474d712d34e75857c9fce344f3219389d4cbea74aab
              • Instruction ID: 9841078e345404fbe6ff774da2ce3476ab380eb75a93b8e0e94e7e38adde9683
              • Opcode Fuzzy Hash: 6e569d68ffab9d4d6bb7c474d712d34e75857c9fce344f3219389d4cbea74aab
              • Instruction Fuzzy Hash: 62D1C5B2900605AFDB14DBA4CC85FEEB7B9EF48304F04452DE549E7241E7B8A905CBB5
              Function 00DAA403 Relevance: 12.5, Strings: 10, Instructions: 43COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: !$($D$H$L$X$Z$l$o$z
              • API String ID: 0-1512067122
              • Opcode ID: c7c82be378e893783baf00622ffef379978a9c81dd68948ceb5bb0e22951f58f
              • Instruction ID: 8917a8cadf8a16e82ecf563c0e191a2e2a82807c2156e8031a0948f639045b82
              • Opcode Fuzzy Hash: c7c82be378e893783baf00622ffef379978a9c81dd68948ceb5bb0e22951f58f
              • Instruction Fuzzy Hash: 9211D010D082CEDDDB12C7BC94087AEBFB15F23214F0886D9D5E52B2C6C2B94649C7B6
              Function 00DB8CE3 Relevance: 10.1, Strings: 8, Instructions: 131COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: .$P$e$i$m$o$r$x
              • API String ID: 0-620024284
              • Opcode ID: a0019321f862a039f9f3bfc535cf7f3a49e78cd95665f15497f8e979ab54d9e7
              • Instruction ID: d3abce13245f888b3f6eb907097774838e0bb28bbaa76b155c01014b6f55742d
              • Opcode Fuzzy Hash: a0019321f862a039f9f3bfc535cf7f3a49e78cd95665f15497f8e979ab54d9e7
              • Instruction Fuzzy Hash: 634150B5C00218BAEB20EBA4CC41FDEB77CEF54700F00859DB509A7141EAB59B898FB5
              Function 00DB8CE2 Relevance: 10.1, Strings: 8, Instructions: 131COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: .$P$e$i$m$o$r$x
              • API String ID: 0-620024284
              • Opcode ID: 72ba3f0737f263be3ee78260aa3e3559a9a1b85f35a1bea37cd4dcc6c47f08ea
              • Instruction ID: e8429527e72a2c8bc216e568b42b346f3bb212b8c06a7e5c2fdc43e8dbc6a312
              • Opcode Fuzzy Hash: 72ba3f0737f263be3ee78260aa3e3559a9a1b85f35a1bea37cd4dcc6c47f08ea
              • Instruction Fuzzy Hash: CE4164B1C00218BAEB21EBA4CC41FDEB77CEF55300F04859DB509A7141EAB55B898FB5
              Function 00DC5E73 Relevance: 8.9, Strings: 7, Instructions: 119COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: L$S$\$a$c$e$l
              • API String ID: 0-3322591375
              • Opcode ID: fde53890977ce88a8bcffd6b1f2e7185542575a7ff0f3bbe9b3e6f4a04396c6e
              • Instruction ID: 8e4d0b944260d67d63598330d723b9fbb2dc65dece2857d194211737b6520dac
              • Opcode Fuzzy Hash: fde53890977ce88a8bcffd6b1f2e7185542575a7ff0f3bbe9b3e6f4a04396c6e
              • Instruction Fuzzy Hash: B74183B2C10619AADB10EF94DC45FEEB7F8EF88304F05416EE909A7101E77559858BF4
              Function 00DBD9C3 Relevance: 7.7, Strings: 6, Instructions: 171COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: F$P$T$f$r$x
              • API String ID: 0-2523166886
              • Opcode ID: 132da81a4300371cc0f565a34e35c6e2ced209a199d937ad48e99cdb51b26130
              • Instruction ID: 41fc88ea9c2997768f2e495306fefaa407e22ffc761454c59f2b9c6e980308ae
              • Opcode Fuzzy Hash: 132da81a4300371cc0f565a34e35c6e2ced209a199d937ad48e99cdb51b26130
              • Instruction Fuzzy Hash: 7E51CFB1900305EAEB34DFA4CC4ABEAB7F9EF44744F04895DB50A57180E7B4AA44CBB5
              Function 00DA6A2B Relevance: 7.5, Strings: 6, Instructions: 25COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: *&bc$`jgr$a|ov$c*&d$c*&dt$t
              • API String ID: 0-2312138305
              • Opcode ID: 0cb882fde9db202d7edca1309da2e0caded0eb18c697f24fcb2e87896e9f2423
              • Instruction ID: 969cd2e7103db48742665df052abb1246713b30b25741b631fcb79bdbe043b1f
              • Opcode Fuzzy Hash: 0cb882fde9db202d7edca1309da2e0caded0eb18c697f24fcb2e87896e9f2423
              • Instruction Fuzzy Hash: 38F0ECB180020CAFCB00DFA8D9813EEBBB0EF05704F2481ACC9449B241E3B08B45CBE2
              Function 00DA6A33 Relevance: 7.5, Strings: 6, Instructions: 24COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: *&bc$`jgr$a|ov$c*&d$c*&dt$t
              • API String ID: 0-2312138305
              • Opcode ID: 354dc8eda321e1bbcb2582e4101e38084fb9fe9351b6196ee288dca4e7473cf2
              • Instruction ID: d83ca47a82bbc4331652f15e30bd92fdccb68dcd27b76a1e6cdcf5b91df1b816
              • Opcode Fuzzy Hash: 354dc8eda321e1bbcb2582e4101e38084fb9fe9351b6196ee288dca4e7473cf2
              • Instruction Fuzzy Hash: 86F065B181020C9BDB40DF98D9857EEBB74EB05700F6045ACD9055B241E3B587548BE6
              Function 00DBD0C3 Relevance: 6.4, Strings: 5, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $i$l$o$u
              • API String ID: 0-2051669658
              • Opcode ID: 4539f8187094130bce73f05ce199c4cef0d0399d550ae7689c2495d2dd841f4b
              • Instruction ID: 5c0c03b567839ad061903cc1d8283eab7de880fe92c34570edc0db7ef4e3b4c6
              • Opcode Fuzzy Hash: 4539f8187094130bce73f05ce199c4cef0d0399d550ae7689c2495d2dd841f4b
              • Instruction Fuzzy Hash: 1E613EB2900344EFDB24DBE4CC85FEFB7F9AB88710F144559E51AA7240E674AE458B60
              Function 00DB8EC3 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 1$2$6$I$K
              • API String ID: 0-1864557942
              • Opcode ID: 2242aa31b3b6d007eaa6c8f455382dcefeb7502b27b4995011821b8b2ce4b5a6
              • Instruction ID: 4479bc3ab5295b2b400e85c6d92eab2e228b584e0dcf2cb4b2e6a319885bfde5
              • Opcode Fuzzy Hash: 2242aa31b3b6d007eaa6c8f455382dcefeb7502b27b4995011821b8b2ce4b5a6
              • Instruction Fuzzy Hash: 2631FFB1910119BBEB14DBA4CD41FFE77B9EF08304F044159F908A7241EBB5AA458BF5
              Function 00DBCD53 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$k$o
              • API String ID: 0-3624523832
              • Opcode ID: 7561bbdc02472f6994cd3730dfd43ba9970e93a2241cb63423f436782d34585e
              • Instruction ID: c081d99f8ce6e5cc9ec118d5b3fa4679114253515f0065bcad06403a46f0c124
              • Opcode Fuzzy Hash: 7561bbdc02472f6994cd3730dfd43ba9970e93a2241cb63423f436782d34585e
              • Instruction Fuzzy Hash: 98B1EDB5A00705AFDB14DBA4CC85FEFB7F9AF88700F148558F61AA7240D675AE41CBA0
              Function 00DBD693 Relevance: 5.2, Strings: 4, Instructions: 236COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$h$o
              • API String ID: 0-3662636641
              • Opcode ID: 0100e9e64367488d7ef21defdc22bb48c9d30c5cbc53a1bd4f4873a58bd37c3f
              • Instruction ID: f888f3a873d7cfc71fa84d11c956b25be697fb33d3ff90857fd7ece3cecdf4be
              • Opcode Fuzzy Hash: 0100e9e64367488d7ef21defdc22bb48c9d30c5cbc53a1bd4f4873a58bd37c3f
              • Instruction Fuzzy Hash: DF811EB2C00259AADB65EB94CC85FEEB3BDEF48700F00419DB50DA6045EE746B858FB5
              Function 00DBCC13 Relevance: 5.1, Strings: 4, Instructions: 122COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
              • API String ID: 0-2877786613
              • Opcode ID: d9e79239402f7ad6eb50dc5bbe9d415737a9e2b343fd020468d4726085f13ca0
              • Instruction ID: 54cec7b8d638db1daeb1a3996a15174578a149b8289ce47eb3228cebaa6e8192
              • Opcode Fuzzy Hash: d9e79239402f7ad6eb50dc5bbe9d415737a9e2b343fd020468d4726085f13ca0
              • Instruction Fuzzy Hash: 1E41F9B1911159BAEB01EB91CC42FEF777CEF95700F10404DBA446B181E6B46A4587FA
              Function 00DBA322 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$k$o
              • API String ID: 0-3624523832
              • Opcode ID: d6c61467b2f42a2e25e38d15837829c835a5c92f90f411ba7dc353bac6eca339
              • Instruction ID: 0a7d98329d19be06dcc85cee60ed41579fbec0f3d59a8d04185f4251030066ad
              • Opcode Fuzzy Hash: d6c61467b2f42a2e25e38d15837829c835a5c92f90f411ba7dc353bac6eca339
              • Instruction Fuzzy Hash: B70184B2900218ABDB14DF98D885FDEF7B9FF48314F04821DE9199B201E7719945CBB0
              Function 00DBA323 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DA0000, based on PE: true
              • Associated: 00000000.00000002.2104380651.0000000000DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_da0000_vJsFBhrSfK.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $e$k$o
              • API String ID: 0-3624523832
              • Opcode ID: a5c7cb6849cbafcc2b51acf653e4f954958cfacd46098984a1ed0f5f26cb480f
              • Instruction ID: acca35f8ca2ac93198f5e3c943a18d31e00a5e4ad423c7d304d6b5984886610a
              • Opcode Fuzzy Hash: a5c7cb6849cbafcc2b51acf653e4f954958cfacd46098984a1ed0f5f26cb480f
              • Instruction Fuzzy Hash: 2E0184B2900218ABDB14DF98D885FDEF7B9FF48314F04821DE9195B201E7719945CBB0